Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts

Suspected
Discovered Jun 1, 2026

CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.

0
Affected Packages
6
Observables
5
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-31431
hXXps://xint[.]io/blog/copy-fail-linux-distributions
hXXps://github[.]com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
hXXps://lore[.]kernel[.]org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/
hXXps://www[.]cisa[.]gov/sites/default/files/feeds/known_exploited_vulnerabilities[.]json

Analysis

Executive Summary

CISA added CVE-2026-31431 to KEV on 2026-05-01 with a due date of 2026-05-15 CISA KEV opens in a new tab. CISA describes it as a Linux kernel incorrect resource transfer vulnerability that can allow privilege escalation CISA KEV opens in a new tab.

Theori's Copy Fail research explains the root cause in the Linux crypto subsystem: an AF_ALG AEAD in-place optimization could place page-cache pages into a writable scatterlist, enabling an unprivileged write primitive against read-only file mappings under the right conditions Theori opens in a new tab. The upstream fix is commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5, which removes the in-place behavior in algif_aead Linux commit opens in a new tab.

Key Facts

Cve: CVE-2026-31431

Product: Linux kernel

Kev Added: 2026-05-01

Kev Due: 2026-05-15

Cwe: CWE-669

Component: AF_ALG AEAD / algif_aead

Fix Commit: a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

Introducing Commit Reference: 72548b093ee3

Impact:

  • local privilege escalation
  • shared CI runner escalation
  • Kubernetes node and container boundary risk where kernel exposure exists

Temporary Mitigation:

  • patch the distribution kernel
  • block AF_ALG socket creation through sandbox policy where feasible
  • disable algif_aead module where operationally safe

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-31431 as known exploited CISA KEV opens in a new tab.
  • confirmed: Linux CVE announcement identifies the issue and points operators at stable Linux update guidance Linux CVE announcement opens in a new tab.
  • confirmed: Theori's Copy Fail post explains the AF_ALG, splice, scatterlist, and page-cache primitive and lists the coordinated disclosure timeline Theori opens in a new tab.
  • confirmed: The upstream Linux fix commit removes the AEAD in-place operation path Linux commit opens in a new tab.
  • confirmed: NVD tracks CVE-2026-31431 with the same affected product and references NVD opens in a new tab.
  • unknown: Public sources reviewed here do not provide a reliable exploitation victim list or a universal affected-version matrix for every distribution kernel backport.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseLocal exploit execution, suspicious AF_ALG AEAD use, unexpected setuid/root file changes, or container-to-host escalation evidence appears on a vulnerable kernel.Process, syscall, EDR, auditd, file integrity, package, and kernel version evidence.Isolate the host, preserve volatile evidence, rebuild from trusted media if root compromise is plausible.
Presumed exposedShared Linux host, CI runner, Kubernetes node, or developer box has untrusted local code execution and lacks patched-kernel proof.Kernel package version, distro advisory, workload schedule, runner logs, and user/container access records.Patch or cordon/rebuild the host; rotate credentials available to jobs or containers on the node.
Potentially exposedLinux assets exist but kernel build, AF_ALG exposure, or untrusted-code execution path is incomplete.Asset inventory, package manager output, kernel config, module status, seccomp profile, workload mapping.Collect kernel and workload evidence before narrowing scope.
Not exposedPatched kernel or vendor backport is proven and no vulnerable local execution window exists.Distro advisory match, package changelog, booted kernel version, and negative workload review.Preserve closure evidence.
UnknownKernel package, booted kernel, workload placement, or audit telemetry is unavailable.Named telemetry gap with owner and retention window.Keep shared hosts and credentials in scope until evidence is recovered.

Technical Analysis

Copy Fail matters for supply-chain and CI/CD response because local privilege escalation on shared build hosts can turn a compromised project, malicious package install, or untrusted pull-request job into host-level control. The vulnerable surface involves AF_ALG AEAD and splice() interactions with page-cache-backed scatterlists Theori opens in a new tab. A runner that executes attacker-controlled build scripts and shares a kernel with secrets, caches, sibling jobs, or Kubernetes node credentials should be treated as high-value. [1]

The upstream fix commit states that there is no benefit in operating in-place in algif_aead because source and destination come from different mappings, and it changes the request setup to use out-of-place operation Linux commit opens in a new tab. For defenders, patched distribution kernel evidence is more useful than raw upstream version comparison because vendors backport security fixes. [1]

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Remediation and Closure

Patch the distribution kernel and reboot into the patched kernel. Where immediate patching is not feasible, block AF_ALG socket creation through sandbox policy or disable algif_aead if workloads do not require it. Closure requires patched booted-kernel proof, host workload mapping, negative file-integrity review, and downstream credential decisions for affected jobs and pods.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 1, 2026First seenFirst seen recorded for Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts.xint.io
Jun 1, 2026Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build HostsUnknownxint.io
Jun 1, 2026DiscoveryDiscovery recorded for Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts.xint.io
Jun 1, 2026DisclosureDisclosure recorded for Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts.xint.io

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

6 IOCs
urlhttps://nvd.nist.gov/vuln/detail/CVE-2026-31431
urlhttps://xint.io/blog/copy-fail-linux-distributions
urlhttps://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
urlhttps://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/
urlhttps://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
hasha664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabxint.io

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-linux-copy-fail-cve-2026-31431-kev-scope"))

URLS = ["https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json","https://xint.io/blog/copy-fail-linux-distributions","https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5","https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/","https://nvd.nist.gov/vuln/detail/CVE-2026-31431"]
HASHES = ["a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"]

# Collect unique indicators
indicators = set()
for group in [URLS, HASHES]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

5 of 5 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
xint.ioSecurity Researcher95%1CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
lore.kernel.orgSecurity Researcher95%1CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
nvd.nist.govSecurity Researcher95%1CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
cisa.govSecurity Researcher95%1CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
GitHubSecurity Researcher95%1CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.