CVE-2026-31431 (CopyFail) is a local privilege escalation in the Linux kernel since 4.14, fixed in 6.18.22, 6.19.12, and 7.0, but LTS branches 6.12 and older remain unpatched.
Key Takeaways
Introduced in 2017 via commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7; affects every kernel from 4.14 through current LTS lines (6.12, 6.6, 6.1, 5.15, 5.10).
Fixes landed April 11 in stable kernels; backporting to older LTS is non-trivial due to API changes in the authencesn/IPSec/AF_ALG subsystem.
Gentoo shipped a workaround patch (0001-crypto-disable-authencesn-module-for-CVE-2026-31431.patch) disabling the authencesn crypto module as the lesser evil.
Linux kernel security process does not notify distributions by default; that only happens if the reporter explicitly cc’s the linux-distros mailing list, which did not occur here.
Described by oss-security participants as one of the worst make-me-root kernel vulnerabilities in recent memory.
Hacker News Comment Review
Core debate: blame falls on the kernel security team’s process, not the reporter. The kernel has full-time corporate-backed developers and should own downstream distribution notification.
Practical mitigations exist now: an eBPF-based workaround for systems where AF_ALG is built into the kernel (not a module) is already running in production; systems without algif_aead loaded may not be immediately exploitable.
The incident resurfaces the longstanding argument that nosuid/nodev should be default mount options, and that SUID binaries on arbitrary block devices are a systemic risk independent of this CVE.
Notable Comments
@whatevaa: “Stop blaming the reporter. Start asking kernel to fix their process.”
@GranPC: Published eBPF mitigation at Dabbleam/CVE-2026-31431-mitigation, claims no unexpected side-effects in production.
@Skywalker13: Debian bookworm/bullseye servers without algif_aead loaded are not immediately at risk.
