Home DebianDebian Linux Patched Copy Fail (CVE-2026-31431) Vulnerability
DebianLinuxLinux KernelLinux Security

Debian Linux Patched Copy Fail (CVE-2026-31431) Vulnerability

By sk
Written by sk Published: Updated: 12.6K views 4 mins read

Debian has released a critical security update for Debian 13 Trixie and older versions to resolve the Copy Fail (CVE-2026-31431) vulnerability. This flaw is a straight-line logic bug in the Linux kernel that allows any local user to gain 100% reliable root privileges.

Copy Fail Fix is Released for Debian Users

The Copy Fail fix is officially available in the Debian [security] repository. Users should ensure their systems are updated to the following version or higher:

Debian Sid, Forky, Debian 13 Trixie, and Debian 12 Bookworm are all patched. Debian 11 Bullseye requires installing the linux-6.1 package to be patched.

  • Debian Sid: Patched (7.0.9-1)
  • Debian Forky: Patched (7.0.9-1)
  • Debian 13 Trixie: Patched (6.12.86-1 standard, 6.12.90-1 security)
  • Debian 12 Bookworm: Patched (6.1.170-3 standard, 6.1.172-1 security)
  • Debian 11 Bullseye: Default 5.10 kernel is still vulnerable. Fixed via the alternative linux-6.1 package (6.1.172-1~deb11u1)

Including the security repository in your sources.list is important for receiving these critical fixes immediately.

Debian derivatives such as latest MX Linux, which is based on Debian 13, also patched. Other derivatives based on patched Debian versions may also be patched, but verify each distribution independently.

You can track the Copy Fail patch status for Debian in the following link:

Why Copy Fail Patch is Mandatory

For those unaware, Copy Fail is uniquely dangerous because it is not a race condition; it is a deterministic error that works every time it is executed.

How it works

The bug chains the kernel's crypto interface (AF_ALG) and the splice() system call to trigger a 4-byte write into the shared page cache.

The Impact

An attacker can use a tiny 732-byte Python script to corrupt the in-memory version of a setuid binary like /usr/bin/su. By changing just 4 bytes, they can force the system to grant them a root shell.

Stealth

Because the corruption happens in the page cache (RAM) and not on the physical disk, standard file integrity tools will not detect the change.

Technical Fix

The official patch (mainline commit a664bf3d603d) resolves the issue by reverting a 2017 performance optimization. This optimization mistakenly allowed the kernel to perform "in-place" crypto operations on read-only file references.

The update ensures the kernel operates "out-of-place", preventing the crypto subsystem from ever having write access to the page cache of system files.

Update Your Debian 13 Trixie Systems Today

Update your kernel:

If you're a Debian Trixie user, update your system using command:

sudo apt update && sudo apt upgrade

Reboot to ensure you are running version 6.12.85-1 or later.

Verify the fix:

You can check your current kernel version by running:

uname -v

Temporary Mitigation:

If you cannot update immediately, you can block the exploit by disabling the algif_aead module with the following commands:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

Disabling this module generally has no impact on standard services like SSH, web servers, or disk encryption.

Enable [Security] Repository in Debian 13

The [security] repository is enabled by default in Debian Trixie.

Debian 13 (Trixie) has moved the sources configuration from /etc/apt/sources.list to a new file at /etc/apt/sources.list.d/debian.sources. You can read more about it in the link below:

The standard debian.sources file includes both the main repository and the security repository out of the box. It looks like this:

Types: deb deb-src
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb deb-src
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

The security repository points to https://security.debian.org/debian-security with the suite set to trixie-security, and it is set to Enabled: yes by default.

So you don't need to manually add or enable the security repository after a fresh Trixie install.

Related Read:

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

Disable IPv6 in Linux: A Step-by-Step Guide (For...

Recreate Debian Binary Packages That Are Already Installed...

How To Fix ‘Failed To Update Metadata For...

How To Import QCOW2 Image Into Proxmox

Troubleshooting Guide For Mmdebstrap: Fixing Common Issues

Debian Installer Trixie RC 2 Officially Released

1 comment

Ludwig May 1, 2026 - 9:17 pm

Thanks for informing, thank God the issue is resolved, sadly the debian team has gone to wokestodon so I cannot read the news in time

Reply

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More