Copy Fail: Page Cache Corruption in the Linux Kernel (CVE-2026-31431)

CVE-2026-31431, also known as "Copy Fail," is a critical vulnerability in the Linux kernel crypto subsystem. It enables local privilege escalation by exploiting a logic error in how the kernel handles memory mappings during cryptographic operations. By corrupting the system page cache, an attacker can overwrite sensitive files like /etc/shadow in memory, gaining root access without needing write permissions on disk.

Technical Analysis: The algif_aead Logic Error

The vulnerability exists in the algif_aead component, which provides a user-space interface for Authenticated Encryption with Associated Data (AEAD) ciphers. AEAD ciphers are designed to provide both confidentiality and integrity by encrypting the plaintext while simultaneously authenticating additional "Associated Data" (AD).

In late 2024, commit 72548b093ee3 introduced an optimization to allow "in-place" operations. The goal was to reduce memory overhead and improve performance by performing encryption or decryption directly on the buffers provided by the user application. In a standard in-place operation, the kernel expects the source and destination buffers to point to the same physical memory.

The kernel implementation failed to account for a specific discrepancy in how user-space memory is translated into kernel-space scatter-gather lists (SGLs). When a user application provides a source buffer for plaintext and a destination buffer for ciphertext, the algif_aead interface creates SGLs to track these memory pages. If the application explicitly maps the destination buffer to a file via mmap, the resulting SGL points to the kernel's Page Cache pages for that file.

When the "in-place" optimization was triggered, the code assumed that the memory layout of the Associated Data in the source SGL was identical to the destination SGL. However, if the destination buffer was backed by the Page Cache of a different file, the kernel would attempt to write the processed AD back into the destination mapping at the original offsets. This resulted in the kernel writing data into the Page Cache pages of the target file, even if that file was opened in read-only mode.

The underlying failure occurs because the crypto API's low-level memory operations bypass the Virtual File System (VFS) permission layer. The VFS layer is where standard write permission checks happen. By using the AEAD interface to "decrypt" data into a memory-mapped file, the attacker forces the kernel to perform a memory write that the VFS layer never sees.

Exploitation: Bypassing Permissions via Page Cache

The page cache is the kernel's mechanism for keeping disk-backed data in RAM. When a process reads a file, the kernel loads it into the page cache. Subsequent reads are served from this cache to avoid slow disk I/O.

The Copy Fail vulnerability allows an attacker to point the algif_aead destination buffer at a memory-mapped file that they only have read access to.

An attacker follows these steps:

1. Open a sensitive system file, such as /etc/passwd or /etc/shadow, for reading.
2. Memory-map the file into their process address space using mmap().
3. Prepare an AEAD cryptographic request where the destination buffer points to this memory mapping.
4. Trigger the algif_aead vulnerability by providing specially crafted Associated Data.

The kernel then writes the attacker's data into the Page Cache pages for the target file. Because the kernel performed this write, it marks the pages as "dirty." Any other process on the system that subsequently reads the file—including the login process or the sshd daemon—will receive the malicious content directly from the corrupted Page Cache. If the system later flushes these dirty pages back to the disk, the corruption becomes permanent, effectively giving the attacker a persistent backdoor.

Timeline of Events

The following table tracks the progression of the vulnerability from its introduction to widespread disclosure and patching.

Impact and Remediation

The vulnerability is rated as High severity (CVSS 7.8) because it provides a reliable path to local privilege escalation. It does not require special privileges to trigger and works against default kernel configurations on most major distributions.

The fix involves a complete revert of the in-place optimization in algif_aead. The kernel now operates out-of-place by default, ensuring that source and destination buffers are handled separately. This prevents the memory mapping confusion that enabled the page cache corruption.

Administrators should verify that they are running a kernel version released after April 30, 2026. Because this is a kernel-level fix, a system reboot is required to apply the protection.

If you found this analysis of memory corruption and privilege escalation useful, a similar case worth your attention is the "Dirty Frag" vulnerability (CVE-2026-31432). Much like the flaw discussed here, it stems from improper handling of memory fragments within the network stack and offers another perspective on how kernel memory can be compromised.