Copy Fail: CVE-2026-31431: Linux Kernel LPE via AF_ALG Page Cache Corruption

On April 29, 2026, Theori disclosed CVE-2026-31431 ("Copy Fail"), a local privilege escalation in the Linux kernel's authencesn cryptographic template. The flaw requires no race condition, no compiled payload, and no elevated privileges — a single Python script roots Ubuntu, Amazon Linux, RHEL, SUSE, and every distribution carrying the 2017 commit without the revert. CVSS 3.1 is 7.8 (High). The patch (mainline a664bf3d603d) was available April 1, 2026; downstream availability remains uneven as of disclosure.

The exploit writes 4 bytes into the page cache of a setuid binary or /etc/passwd via AF_ALG sendmsg+splice cycles — the on-disk file is never touched, making file integrity tools blind. Because the page cache is shared across container namespaces on the same host, this is also a container-escape primitive. Go and Rust variants are already circulating, making language-agnostic kernel and syscall signals the primary detection layer.