Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Copy Fail, Getting Root on Major Linux Distributions, Patch Immediately!
Image
Published : 30/04/2026
- Last update: 30/04/2026
- Affected software:
→ Linux Kernel- Type: Privilege escalation
- CVE/CVSS
→ CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
https://xint.io/blog/copy-fail-linux-distributions
Risks
CVE-2026-31431 is a critical Linux kernel vulnerability that allows an unprivileged local user to gain root privileges by modifying the in-memory page cache of files. The attack leaves no trace on disk, making it difficult to detect with standard integrity checks.
The issue affects most major Linux distributions (Ubuntu, RHEL, Amazon Linux, SUSE) on kernels from roughly the past several years. Exploitation is very easy and reliable, with a small public proof-of-concept. The exploit is only a few hundreds of bytes, Python and no race conditions or special setup is necessary. Given this, widespread exploitation is realistic.
Beyond local privilege escalation, the bug can also enable container escape, since the page cache is shared across containers.
The recommended fix is to patch the kernel.
Description
In practice, an attacker can target a privileged program (such as a setuid binary) and inject malicious instructions into its in-memory version. When the program is executed, the system runs the attacker’s code with root privileges.
This attack is particularly dangerous because it is reliable and does not depend on timing or race conditions, allowing it to succeed consistently. It is also highly portable, with the same exploit working across multiple Linux distributions without modification. Because the manipulation occurs only in memory and does not alter files on disk, it is inherently stealthy and difficult to detect using traditional integrity or forensic tools. In addition, the barrier to exploitation is low, requiring only local access and relatively simple scripting.
As a result, standard security controls may fail to detect compromise, especially in environments with untrusted users or workloads, such as shared systems and containerized platforms.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
- Patch the kernel. The official fix reverts AF_ALG AEAD to out-of-place operation, eliminating page cache pages from the writable scatterlist.
- Update your distribution's kernel package. Major distributions should ship the fix through normal kernel package updates.
- For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf rmmod algif_aead 2>/dev/null
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
https://github.com/theori-io/copy-fail-CVE-2026-31431/tree/main