A newly disclosed Linux kernel zero-day, CVE-2026-31431, “Copy.Fail”, is one of the most serious privilege-escalation vulnerabilities in recent years.
Discovered by Theori and publicly disclosed on April 29, 2026, Copy.Fail is a Linux kernel zero-day that roots every distribution since 2017. Unlike many local privilege-escalation flaws that depend on race conditions, kernel address leaks, or distribution-specific behavior, Copy.Fail is alarmingly reliable: it works consistently across mainstream Linux distributions with only a standard user account.
Why the CVE-2026-31431 is dangerous?
Copy.Fail abuses a logic flaw in the Linux kernel’s algif_aead crypto module, introduced through a 2017 optimization. By manipulating the kernel’s AF_ALG crypto interface, an attacker can write controlled data into the Linux page cache (the in-memory representation of trusted system binaries).
This allows attackers to temporarily hijack binaries like /usr/bin/su without modifying the file on disk.
In practical terms:
- A normal user can become root
- A compromised container can escape to the host
- A malicious CI job can root its runner
- Shared infrastructure becomes vulnerable across tenants
- Disk forensics may show no file tampering because only RAM is altered
This makes Copy.Fail especially dangerous for:
- Kubernetes clusters
- CI/CD systems
- Shared development environments
- Cloud notebook platforms
- Multi-tenant container infrastructure
How to patch it easily in your MKS clusters?
OVHcloud is preparing patched MKS versions including the upstream kernel fix. Patched versions are expected to be available 30 April 2026, at 16:00 UTC+2.
While waiting for the next MKS release, here is a DaemonSet manifest that you can apply in your MKS clusters in order to mitigate the vulnerability.
Create a patch-copy-fail-cve file with the following content:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: patch-copy-fail-cve
labels:
app: patch-copy-fail-cve
namespace: default
spec:
selector:
matchLabels:
app: patch-copy-fail-cve
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 100%
template:
metadata:
labels:
app: patch-copy-fail-cve
spec:
hostPID: true
priorityClassName: system-node-critical
volumes:
- name: root-mount
hostPath:
path: /
type: Directory
initContainers:
- image: mks.kubernatine.ovh/docker.io/library/busybox:1.36.1
name: patch-copy-fail-cve
command: ["/bin/bash", "-c"]
args:
- |
tee /etc/modprobe.d/disable-algif-aead.conf <<<'install algif_aead /bin/false'
rmmod algif_aead 2>/dev/null
update-initramfs -u
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: root-mount
mountPath: /
containers:
- image: "mks.kubernatine.ovh/registry.k8s.io/pause:3.10.1"
name: pause Apply it:
kubectl apply -f patch-copy-fail-cve.yaml⚠️ This mitigation has been tested on OVHcloud internal test clusters. Applying it to your own service remains under your responsibility.
If the vulnerability has already been exploited on your cluster, this mitigation will not remediate any pre-existing compromise.
The recommended remediation remains the official security release, which will be made available as soon as possible.
Read more about the mitigation: https://github.com/rootsecdev/cve_2026_31431#mitigation
Developer Advocate at OVHcloud, specializing in Cloud Native, Infrastructure as Code, and Developer Experience.
Docker Captain, CNCF Ambassador, Google Developer Expert, and Women Techmakers Ambassador, she has spent more than 20 years helping developers and operators build reliable cloud-native platforms. Passionate about DevOps, Kubernetes, and Go, she shares best practices through technical writing, international conferences, and visual learning resources.
Author of the Understanding Kubernetes, Understanding Docker, and Understanding Istio series, she pioneered a visual approach to learning cloud technologies through sketchnotes, books, and videos.