Home UbuntuHow to Fix Copy Fail (CVE-2026-31431) Vulnerability on Ubuntu and Linux Mint
UbuntuLinuxLinux DistributionsLinux KernelLinux MintLinux SecurityLinux troubleshootingSecurity

How to Fix Copy Fail (CVE-2026-31431) Vulnerability on Ubuntu and Linux Mint

By sk
Written by sk Published: Updated: 7.5K views 11 mins read

Quick Summary

Copy Fail (CVE-2026-31431) is a Linux kernel local privilege escalation vulnerability that lets any unprivileged local user gain root access on virtually every Linux distribution built since 2017. It carries a CVSS score of 7.8 (HIGH).

Ubuntu has released a mitigation through the kmod package that blocks the vulnerable algif_aead module.

To fix it on Ubuntu and its derivatives like Linux Mint, do the following:

  1. Run sudo apt update && sudo apt upgrade
  2. Reboot your system
  3. Confirm your kmod version matches the fixed version for your release
  4. Verify the vulnerable module is not loaded

Copy Fail (CVE-2026-31431): A Linux Kernel Bug Nine Years in the Making

On April 29, 2026, security researchers at Theori and Xint Code publicly disclosed CVE-2026-31431, a Linux kernel privilege escalation vulnerability they named Copy Fail.

Any unprivileged local user can run a 732-byte Python script to gain full root access on virtually every major Linux distribution built since 2017. That includes Debian, Ubuntu, Linux Mint, Amazon Linux, Red Hat, and SUSE.

This guide walks you through exactly what Copy Fail is, which systems it affects. Most importantly, how to apply the Ubuntu kmod security mitigation to your Ubuntu or Linux Mint system to fix Copy Fail vulnerability right now.

What Exactly Is Copy Fail and How Does the Linux Kernel Exploit Work?

Copy Fail is not a remote exploit. Someone cannot attack your machine simply because they know you run Linux Mint. They need local access first. Meaning they either have a shell on your machine or they trick you into running malicious code.

That said, once they have that foothold, Copy Fail turns a regular user account into a root account in seconds.

So, what is happening under the hood?

The bug lives inside the Linux kernel's crypto subsystem, specifically in a component called authencesn. Back in 2017, a developer introduced a performance optimization (commit 72548b093ee3) that switched AEAD (Authenticated Encryption with Associated Data) operations to run "in-place." It was a useful performance win at the time. Unfortunately, it introduced a subtle logic flaw that quietly sat in virtually every Linux kernel for nearly a decade.

When the kernel handles a cryptographic operation through the algif_aead module and the AF_ALG socket interface, it accidentally lets a write slip into the page cache.

The page cache is where the kernel stores in-memory copies of files. By targeting a privileged binary like /usr/bin/su, an attacker can silently modify it in memory without ever touching the file on disk.

Once the binary is patched in memory, the attacker runs it. Root access achieved. Because the modification exists only in the page cache, standard file integrity tools that compare on-disk checksums miss it entirely.

What makes Copy Fail different from similar past bugs like Dirty Pipe (CVE-2022-0847) is how reliable and portable it is. There are no race conditions to win. There is no per-distribution tuning needed.

The same 732-byte script works across every tested distribution and architecture, without modification, requiring only Python 3.10+.

CVSS Score: 7.8 (HIGH). Assigned by NVD. Reflects high impact to confidentiality, integrity, and availability.

Which Linux Versions Are Affected?

The short answer is nearly every major Linux distributions are affected by Copy Fail vulnerability.

The Linux kernel privilege escalation flaw affects any kernel from version 4.14 onward i.e. every kernel built since mid-2017.

In Ubuntu family, the only release that is fully safe is Ubuntu 26.04 LTS (Resolute), which ships with a kernel that already includes the upstream fix.

If you run any of the following, you need to act now:

DistributionUbuntu BaseStatus
Linux Mint 21.xUbuntu 22.04 LTS (Jammy)Affected
Linux Mint 22.xUbuntu 24.04 LTS (Noble)Affected
Ubuntu 22.04 LTS-Affected
Ubuntu 24.04 LTS-Affected
Ubuntu 25.10 (Questing)-Affected
Ubuntu 26.04 LTS (Resolute)-Not affected

The higher-risk environments are multi-user systems, shared servers, container clusters, and CI/CD pipelines - anywhere untrusted code might run. But even a personal desktop is not immune if someone tricks you into running a malicious script.

Containers note:

Because the kernel's page cache is shared across all containers on a host, Copy Fail also functions as a container escape mechanism.

How to Fix Copy Fail (CVE-2026-31431) in Ubuntu and Its Derivatives

Ubuntu is handling this in two stages. First, a temporary mitigation through the kmod package (available right now). Second, a full kernel patch that is currently rolling out across all supported releases. Let us cover both.

Stage 1: Apply the kmod Security Update (Available Now)

Ubuntu's security team released an update to the kmod package that blocks the algif_aead kernel module from loading. Since the exploit depends entirely on this module being accessible, blocking it closes the attack surface immediately.

Please note that this is not a permanent fix. It is a robust mitigation that holds until patched kernels arrive.

Here are the exact kmod versions that contain the mitigation, per Ubuntu Security Notice USN-8226-1:

Ubuntu ReleaseFixed kmod Version
22.04 LTS (Jammy)29-1ubuntu1.1
24.04 LTS (Noble)31+20240202-2ubuntu7.2
25.10 (Questing)34.2-2ubuntu1.1

Linux Mint 22.x users should target the Noble version, since Mint 22 is based on Ubuntu 24.04.

Stage 2: Full Kernel Patch (Rolling Out Now)

The upstream fix for this Linux kernel privilege escalation flaw was committed on April 1, 2026 (mainline commit a664bf3d603d), which reverts the 2017 in-place optimization that introduced the bug.

Distribution-specific kernel packages are currently rolling out across all supported Ubuntu releases. Running sudo apt upgrade regularly will pick up the patched kernel automatically once it lands for your base.

How to Apply the Copy Fail (CVE-2026-31431) Mitigation on Ubuntu

Follow these four steps in order. The whole process takes about five minutes plus a reboot.

Step 1: Update Your System

Open a terminal and run:

sudo apt update
sudo apt upgrade
sudo reboot

This pulls in the latest packages, including the updated kmod mitigation. After you reboot, the module block takes effect automatically.

Prefer a targeted update? If you are worried about a specific update affecting something (like a Wi-Fi driver), you can upgrade only the kmod package. Replace sudo apt upgrade with sudo apt install --only-upgrade kmod, then reboot.

Step 2: Confirm the kmod Version

After rebooting, check which version of kmod is installed:

dpkg -l kmod

Compare the version in the output to the table above. If your version matches or exceeds the fixed version for your Ubuntu base, the mitigation package is in place.

Step 3: Verify the Vulnerable Module Is Not Loaded

Next, confirm that the algif_aead module is not active:

grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

If you get "Affected module is NOT loaded", you are protected. The mitigation is working.

If you see "Affected module is loaded", something went wrong. Double-check that the kmod update applied correctly and that you fully rebooted after installing it.

Step 4: Manual Fallback (If You Cannot Update Right Now)

If you cannot run package updates immediately, you can manually block the module with one command:

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/manual-disable-algif_aead.conf

Then reboot. This does exactly the same thing the kmod update does automatically. It creates a modprobe rule that prevents algif_aead from loading at boot.

Having New Kernel Alone Does Not Prove You Are Safe

Just because your Kernel version is 6.x, it doesn't mean you're safe. Your kernel version tells you nothing about whether the algif_aead mitigation has been applied. A 6.x kernel is still vulnerable if the kmod security update has not landed and the module remains loadable.

The only two reliable safety checks are the kmod version comparison and the /proc/modules command above. Use those, not uname -r.

Does Blocking algif_aead Break Encryption, SSH, or VPNs?

No. For the overwhelming majority of users, blocking algif_aead has zero practical impact.

Ubuntu's official security advisory explicitly confirms the mitigation does not affect any of the following:

ComponentImpact
dm-crypt / LUKS (full-disk encryption)None
SSHNone
OpenSSL, GnuTLS, NSSNone
IPsec / XFRM (VPN tunnels)None
kTLS (kernel TLS)None

The only applications that could notice a difference are those explicitly configured to use the afalg engine or that bind directly to AEAD, skcipher, or hash AF_ALG sockets. These are uncommon in typical desktop or standard server workloads.

To check whether any process on your system currently uses AF_ALG, run:

lsof | grep AF_ALG

If that command returns nothing, you can safely apply the mitigation without disrupting any running application.

Warning: Do Not Run Random Scripts From GitHub

Because Copy Fail is now fully public, proof-of-concept exploit code circulates on GitHub. You may stumble across posts on Reddit or security forums sharing "Copy Fail test scripts" that claim to check whether your system is vulnerable.

Do not run them. The exploit is a tiny, standard Python script. A malicious actor can disguise it as a diagnostic tool with minimal effort. Unless you can read and fully understand every line of a script, treat it as unsafe.

The correct approach is simple: update through your official Ubuntu or Linux Mint repositories, reboot, and run the /proc/modules verification command. That is everything you need.

Frequently Asked Questions About CVE-2026-31431 (Copy Fail)

Q: What is Copy Fail (CVE-2026-31431)?

A: CVE-2026-31431 (Copy Fail) is a local privilege escalation vulnerability in the Linux kernel's authencesn cryptographic template. It lets any unprivileged local user gain root access using a 732-byte Python script. It affects virtually all Linux kernels built since 2017 and carries a CVSS score of 7.8 (HIGH).

Q: Is Copy Fail a remote exploit? Can someone hack me over the internet?

A: No. Copy Fail is a local privilege escalation bug, not a remote exploit. An attacker must already have a local user account or trick you into running malicious code. Knowing that you run Ubuntu or Linux Mint is not enough to exploit it remotely.

Q: How do I fix CVE-2026-31431 on Ubuntu 24.04 LTS?

A: Run sudo apt update && sudo apt upgrade, then reboot. After rebooting, confirm that kmod version 31+20240202-2ubuntu7.2 or higher is installed. Then run the /proc/modules check to verify the algif_aead module is not loaded.

Q: Does the kmod mitigation break SSH, LUKS, or OpenSSL?

A: No. Ubuntu's official advisory confirms the mitigation does not affect SSH, dm-crypt/LUKS, OpenSSL, GnuTLS, NSS, IPsec/XFRM, or kTLS. Only applications explicitly configured to use the afalg engine or that bind AF_ALG sockets directly may be impacted.

Q: Is Linux Mint affected by Copy Fail?

A: Yes. Linux Mint 21.x (Ubuntu 22.04 base) and Mint 22.x (Ubuntu 24.04 base) are both affected. Apply the same kmod update as the corresponding Ubuntu base release and reboot to apply the mitigation.

Q: Will a full system reboot definitely apply the mitigation?

A: Yes. Ubuntu's advisory confirms that rebooting after the kmod update is sufficient to ensure the mitigation is active, regardless of the previous state of the module on your system.

Summary: CVE-2026-31431 Mitigation Checklist

Here is everything in one quick reference:

  • Run sudo apt update && sudo apt upgrade, then reboot.
  • Or, for a targeted fix: sudo apt install --only-upgrade kmod, then reboot.
  • Verify kmod version with dpkg -l kmod (compare to the table above).
  • Confirm module is blocked using command: grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"
  • If you cannot update: create /etc/modprobe.d/manual-disable-algif_aead.conf manually, then reboot.
  • Do not rely on uname -r alone as a safety check.
  • Do not run unverified PoC scripts from third-party sources.

Conclusion

Copy Fail is a genuinely significant Linux kernel privilege escalation vulnerability. A nearly decade-old optimization, a 732-byte script, and nine years of undetected exposure — it is a reminder of how subtle and durable logic bugs in critical subsystems can be.

Luckily, we have Copy Fail fix for Ubuntu and its derivatives. All you have to do is apply the kmod security update and reboot.

Update your Ubuntu, Linux Mint and derivatives as soon as possible.

Related Read:

Resources:

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

Ubuntu 25.10 Questing Quokka Beta Is Officially Released!

Download Movies Using CouchPotato In Linux

Install Lumina Desktop Environment in Linux and Unix

Install phpMyAdmin with LAMP stack in Ubuntu 16.04

How To Speed Up Downloading Of Packages In...

How To Query Package Information In Debian And...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More