A newly disclosed Linux kernel zero-day, CVE-2026-31431, “Copy.Fail”, is one of the most serious privilege-escalation vulnerabilities in recent years.
Discovered by Theori and publicly disclosed on April 29, 2026, Copy.Fail is a Linux kernel zero-day that roots every distribution since 2017. Unlike many local privilege-escalation flaws that depend on race conditions, kernel address leaks, or distribution-specific behavior, Copy.Fail is alarmingly reliable: it works consistently across mainstream Linux distributions with only a standard user account.
Why the CVE-2026-31431 is dangerous?
Copy.Fail abuses a logic flaw in the Linux kernel’s algif_aead crypto module, introduced through a 2017 optimization. By manipulating the kernel’s AF_ALG crypto interface, an attacker can write controlled data into the Linux page cache (the in-memory representation of trusted system binaries).
This allows attackers to temporarily hijack binaries like /usr/bin/su without modifying the file on disk.
In practical terms:
- A normal user can become root
- A compromised container can escape to the host
- A malicious CI job can root its runner
- Shared infrastructure becomes vulnerable across tenants
- Disk forensics may show no file tampering because only RAM is altered
This makes Copy.Fail especially dangerous for:
- Kubernetes clusters
- CI/CD systems
- Shared development environments
- Cloud notebook platforms
- Multi-tenant container infrastructure
How to patch it easily in your MKS clusters?
OVHcloud is preparing patched MKS versions including the upstream kernel fix. Patched versions are expected to be available 30 April 2026, at 16:00 UTC+2.
While waiting for the next MKS release, here is a DaemonSet manifest that you can apply in your MKS clusters in order to mitigate the vulnerability.
Create a patch-copy-fail-cve file with the following content:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: patch-copy-fail-cve
labels:
app: patch-copy-fail-cve
namespace: default
spec:
selector:
matchLabels:
app: patch-copy-fail-cve
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 100%
template:
metadata:
labels:
app: patch-copy-fail-cve
spec:
hostPID: true
priorityClassName: system-node-critical
volumes:
- name: root-mount
hostPath:
path: /
type: Directory
initContainers:
- image: mks.kubernatine.ovh/docker.io/library/busybox:1.36.1
name: patch-copy-fail-cve
command: ["/bin/bash", "-c"]
args:
- |
tee /etc/modprobe.d/disable-algif-aead.conf <<<'install algif_aead /bin/false'
rmmod algif_aead 2>/dev/null
update-initramfs -u
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: root-mount
mountPath: /
containers:
- image: "mks.kubernatine.ovh/registry.k8s.io/pause:3.10.1"
name: pause Apply it:
kubectl apply -f patch-copy-fail-cve.yaml⚠️ This mitigation has been tested on OVHcloud internal test clusters. Applying it to your own service remains under your responsibility.
If the vulnerability has already been exploited on your cluster, this mitigation will not remediate any pre-existing compromise.
The recommended remediation remains the official security release, which will be made available as soon as possible.
Read more about the mitigation: https://github.com/rootsecdev/cve_2026_31431#mitigation
Developer Advocate at OVHcloud, specialized in Cloud Native, Infrastructure as Code (IaC) & Developer eXperience (DX).
She is recognized as a Docker Captain, CNCF ambassador, GDE & Women techmakers Ambassador.
She has been working as a Developer and Ops for over 20 years. Cloud enthusiast and advocates DevOps/Cloud/Golang best practices.
Technical writer, a sketchnoter and a speaker at international conferences.
Book author, she created a new visual way for people to learn and understand Cloud technologies: "Understanding Kubernetes / Docker / Istio in a visual way" in sketchnotes, books and videos.