Table of Contents
Quick Summary
- Docker team has released a mitigation for Copy Fail (CVE-2026-31431) vulnerability.
- To protect against the Copy Fail vulnerability, you should upgrade to Docker Engine v29.4.3 or later.
- This patched version implements a defense-in-depth strategy using AppArmor and SELinux to block the creation of
AF_ALGsockets, which is the specific syscall surface the exploit requires.
Introduction
If you use Linux, you should have heard about a serious security bug called Copy Fail (CVE-2026-31431) that recently hit the many Linux systems. This flaw affects almost every Linux system built since 2017.
Since Docker shares the core of your Linux system with its containers, this bug puts your containers at risk. Fortunately, the Docker team has released a fix for Copy Fail vulnerability.
What is the Copy Fail Bug?
Copy Fail (CVE-2026-31431) is a high-severity Linux kernel logic flaw that allows an unprivileged local user to gain root access or escape containers by writing four controlled bytes into the system's page cache.
To put this in layman terms, Copy Fail is a mistake in how Linux handles math for encrypted data. A regular user can exploit this logic error to write data into the page cache. Since the page cache stores copies of files in memory, an attacker can "change" files without actually touching the disk.
For example, a hacker could change a system file to grant themselves "root" powers. In a Docker environment, a single compromised container could potentially attack the entire host or other containers.
Discovered by researchers at Xint Code, the Copy Fail vulnerability exploits the kernel's crypto subsystem and affects nearly every mainstream Linux distribution released since 2017.
A surprising detail about Copy Fail is its stealth. It is totally invisible to forensic disk analysis. Because the malicious write bypasses the standard Virtual File System (VFS) path, the corrupted data exists only in RAM and never hits the physical disk.
Consequently, a forensic image of the disk will show the original clean file, and the corruption disappears entirely without leaving a trace once the system reboots or the page cache is evicted.
How Docker Protects You
The exploit relies on a specific type of connection called an AF_ALG socket. To stop the attack, Docker needed to block containers from creating these connections.
The First Attempt (v29.4.2)
Initially, Docker tried to block these sockets using a tool called seccomp. However, this version also blocked an older system tool called socketcall. While this stopped the bug, it accidentally broke networking for 32-bit apps, Go programs, and legacy games.
The Better Fix (v29.4.3)
Docker version v29.4.3 fixes these issues. Instead of blocking too much, it uses smarter security layers like AppArmor and SELinux. These tools specifically stop the "Copy Fail" connections without breaking your 32-bit apps.
Steps to Apply Copy Fail Mitigation for Docker
To protect your Docker containers from Copy Fail exploit,
1. Update Your Linux Kernel
This is the only way to fix the root cause of the bug. Check your Linux distribution for the latest security patches.
Popular Linux distributions have already released patches to fix the Copy Fail vulnerability. To apply the fixes, you simply need to update your system and reboot.
Ubuntu / Debian
sudo apt update && sudo apt full-upgrade -y
sudo reboot
Fedora
sudo dnf upgrade --refresh -y
sudo reboot
RHEL / AlmaLinux / Rocky Linux
sudo dnf update -y
sudo reboot
CentOS Stream
sudo dnf upgrade -y
sudo reboot
Arch Linux
sudo pacman -Syu
sudo reboot
openSUSE
sudo zypper refresh
sudo zypper update -y
sudo reboot
Alpine Linux
sudo apk update
sudo apk upgrade
sudo reboot
2. Upgrade Docker Engine
If you cannot immediately patch your kernel, Docker has released a mitigation in Docker Engine v29.4.3 and later.
$ sudo docker version
[sudo: authenticate] Password:
Client: Docker Engine - Community
Version: 29.5.2
API version: 1.54
Go version: go1.26.3
Git commit: 79eb04c
Built: Wed May 20 14:38:06 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.5.2
API version: 1.54 (minimum version 1.40)
Go version: go1.26.3
Git commit: 568f755
Built: Wed May 20 14:38:06 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.4
GitCommit: 193637f7ee8ae5f5aa5248f49e7baa3e6164966e
runc:
Version: 1.3.5
GitCommit: v1.3.5-0-g488fc13e
docker-init:
Version: 0.19.0
GitCommit: de40ad0
This provides a vital layer of defense even if you cannot restart your whole server yet.
However, updating the Linux kernel and rebooting the system is still strongly recommended.
3. Blacklist Modules
If you cannot update your system immediately, you can manually disable the affected parts of Linux. You can do this by adding blacklist af_alg to your system's module settings.
Final Thoughts
Well, there is now a mitigation available for Docker to help protect against the Copy Fail (CVE-2026-31431) vulnerability. If you cannot immediately patch your host kernel, you should upgrade to Docker Engine v29.4.3 or later.
However, it is still strongly recommended that you update your host kernel and reboot your system. By updating both your kernel and Docker Engine, you can protect your systems from several critical local privilege escalation (LPE) vulnerabilities.
Related Read:
- Debian 13 Trixie Just Patched Copy Fail (CVE-2026-31431) Vulnerability
- How to Fix Copy Fail (CVE-2026-31431) Vulnerability on Ubuntu and Linux Mint
- AlmaLinux Patched Copy Fail (CVE-2026-31431) Ahead of Upstream
- Fedora 44 Gets Kernel 7.0.4: Dirty Frag and Copy Fail 2 Fixed
- Fragnesia: The “Copy Fail 3.0” Exploit Granting 100% Linux Root
- Linus Torvalds Just Patched a Major Linux “File Descriptor Theft” Vulnerability
