unit42.paloaltonetworks.com 5/5/2026, 11:31:32 PM · via preferred

CVE-2026-31431: Linux Kernel Flaw Enables Root via Simple Script

CVE-2026-31431: Linux Kernel Flaw Enables Root via Simple Script
Developing story vulnerability 12 articles tracked
Dirty Frag Linux kernel flaw (CVE-2026-43284) allows local root via page cache corruption
CyberSIXT Evidence Panel
Primary Source nvd.nist.gov
CISA KEV Listed in KEV
Patch Patch Available

COPY Fail, CVE-2026-31431, is described as a deterministic local privilege escalation in the Linux kernel’s AF_ALG interface, enabling an unprivileged attacker to gain root across many distributions since 2017. According to The Linux Foundation, the advisory provides mitigation details, and the article notes that the vulnerability is triggered by an in-place optimization in 2017 that can overwrite four bytes in the page cache during cryptographic operations, with impact affecting kernels from 4.14 to 6.19.12.

Researchers disclosed the flaw on 29 April 2026, and the piece highlights that a standalone 732-byte Python script can exploit it without modification, making exploitation highly portable and reliable. Interim mitigations include disabling the affected algif_aead module, while upstream kernel patches revert the faulty optimisation, and vendor kernel updates are strongly urged.

Palo Alto Networks customers are offered protections via Cortex XDR, XSIAM and Cortex Cloud, and the Unit 42 Incident Response team can assist if required. Public PoC activity has been observed, underscoring the urgency of patching or applying interim mitigations.

View Primary Source Via unit42.paloaltonetworks.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline