COPY Fail, CVE-2026-31431, is described as a deterministic local privilege escalation in the Linux kernel’s AF_ALG interface, enabling an unprivileged attacker to gain root across many distributions since 2017. According to The Linux Foundation, the advisory provides mitigation details, and the article notes that the vulnerability is triggered by an in-place optimization in 2017 that can overwrite four bytes in the page cache during cryptographic operations, with impact affecting kernels from 4.14 to 6.19.12.
Researchers disclosed the flaw on 29 April 2026, and the piece highlights that a standalone 732-byte Python script can exploit it without modification, making exploitation highly portable and reliable. Interim mitigations include disabling the affected algif_aead module, while upstream kernel patches revert the faulty optimisation, and vendor kernel updates are strongly urged.
Palo Alto Networks customers are offered protections via Cortex XDR, XSIAM and Cortex Cloud, and the Unit 42 Incident Response team can assist if required. Public PoC activity has been observed, underscoring the urgency of patching or applying interim mitigations.