CVE-2026-31431: Linux Kernel 'Copy-Fail' LPE

Danger

Vulnerability Alert (Active Exploitation): CVE-2026-31431, colloquially named “Copy-Fail”, is a critical Local Privilege Escalation (LPE) vulnerability affecting multiple modern Linux distributions. Rooted in a memory management and page cache invalidation flaw within the kernel’s file copying syscalls, it allows an unprivileged local user to overwrite read-only files owned by root (such as /etc/passwd or /etc/shadow). Public Proof-of-Concepts (PoCs) are actively circulating on GitHub, making immediate patching of the Linux kernel mandatory.

1. Executive Summary

As detailed in threat advisories by SOCPrime and Tenable, CVE-2026-31431 (CVSS 7.8 - High) represents a severe bypass of the Linux kernel’s fundamental Discretionary Access Control (DAC) mechanisms.

Reminiscent of the infamous Dirty COW (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847) vulnerabilities, Copy-Fail exploits a race condition and improper state handling within the kernel’s Virtual File System (VFS) layer. Specifically, it targets highly optimized data transfer syscalls (like copy_file_range or splice). A local attacker can weaponize this flaw to inject arbitrary malicious data into sensitive system files, seamlessly elevating their privileges to root without requiring any prior interactive administrative access.

2. Technical Vulnerability Analysis

The core of the “Copy-Fail” vulnerability lies in a state desynchronization between the Linux kernel’s page cache and the file system’s write-permission checks.

The Root Cause: Bypassing Page Cache Protections

Modern Linux kernels heavily optimize file copying operations. Instead of copying data from kernel space to user space and back to kernel space, syscalls like copy_file_range() move data directly between file descriptors within the kernel.

The vulnerability occurs when a user maps a read-only target file (e.g., /etc/passwd) into memory using mmap() with PROT_READ, while simultaneously opening a malicious source file backed by a temporary file system (tmpfs).

Due to a missing permission check during a specific edge-case race condition in the kernel’s memory management subsystem (CWE-362), the attacker can force the kernel to splice the malicious pages into the page cache of the read-only file. The kernel erroneously flags these memory pages as “dirty” (modified and needing to be synchronized with the disk). When the kernel’s background flusher threads run, they write the attacker-controlled dirty pages back to the physical disk, silently overwriting the root-owned file despite the attacker lacking WRITE permissions.

3. Exploitation Flow to Root

Based on the rootsecdev GitHub PoC, the exploitation is highly reliable and takes only milliseconds to execute.

1. Target Selection: The attacker selects a critical system file they want to overwrite, typically /etc/passwd.
2. File Mapping: The attacker opens /etc/passwd in read-only mode (O_RDONLY) and maps it into their process memory space using mmap().
3. Payload Preparation: The attacker generates a malicious payload (e.g., appending a new user hacker:x:0:0::/root:/bin/bash with no password).
4. Triggering the Race Condition: The attacker spawns two concurrent threads. Thread A continuously attempts to splice the malicious payload into the mapped memory. Thread B repeatedly calls madvise(MADV_DONTNEED) to force the kernel to drop the cached pages.
5. The Overwrite (Copy-Fail): The race condition is won. The kernel bypasses the write-protection, marks the injected page as dirty, and commits the malicious payload to /etc/passwd.
6. Privilege Escalation: The attacker simply executes su hacker to drop into a root shell without a password prompt.

4. Forensic Investigation (DFIR)

Because the kernel itself writes the data to the disk, standard user-mode tracing tools might not catch the actual overwrite operation originating from a malicious process. DFIR analysts must look for secondary indicators of compromise (IOCs).

File System Anomalies

Examine the mtime (modification time) and ctime (change time) of critical files like /etc/passwd, /etc/shadow, /etc/sudoers, and /root/.ssh/authorized_keys. Any unexpected modifications outside of known maintenance windows are critical indicators.

Auditd Logs

If Linux Auditing (auditd) is enabled, search for execution of the su command by unexpected users immediately following anomalous file modifications, or look for excessive mmap or copy_file_range syscalls originating from unauthorized binaries in /tmp/ or /dev/shm/.

5. Detection & Threat Hunting

Detecting local privilege escalation exploits requires hunting for the consequences of the attack rather than the exploitation of the memory bug itself.

Sigma (Auditd / Syslog)

sigma_linux_copyfail_passwd_mod.yaml

title: Suspicious /etc/passwd Modification (Potential Copy-Fail LPE)
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects unauthorized modification of the /etc/passwd file by non-administrative processes, which is the primary post-exploitation indicator of the CVE-2026-31431 (Copy-Fail) vulnerability.
logsource:
    category: file_event
    product: linux
detection:
    selection:
        TargetFilename: '/etc/passwd'
        Action: 'modified'
    filter_legit:
        # Exclude legitimate user management binaries
        Image|endswith:
            - '/usr/sbin/usermod'
            - '/usr/sbin/useradd'
            - '/usr/sbin/vipw'
            - '/usr/bin/passwd'
    condition: selection and not filter_legit
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2026-31431

KQL (Defender for Endpoint Linux)

hunt_copyfail_lpe.kql

// Detects processes running from temporary/writable directories
// altering critical authentication files or gaining sudden root access.
DeviceFileEvents
| where ActionType == "FileModified"
| where FolderPath in ("/etc/passwd", "/etc/shadow", "/etc/sudoers")
// The initiating process is not a known package manager or auth binary
| where InitiatingProcessFileName !in ("dpkg", "apt", "yum", "usermod", "useradd")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, FolderPath
| sort by TimeGenerated desc

6. Mitigation and Remediation

As this is a core kernel vulnerability, there are limited effective workarounds that do not severely impact system performance or stability.

1. Kernel Patching: The absolute priority is to upgrade the Linux kernel to the patched versions provided by your distribution maintainers (e.g., Debian, Ubuntu, RHEL). Check your specific vendor’s security advisory for the exact patched kernel version.
2. System Reboot: Applying a kernel patch requires a full system reboot to load the new kernel image into memory.
3. Seccomp Filters (Temporary Workaround): For highly restricted containerized environments (like Docker or Kubernetes), administrators can apply restrictive seccomp profiles to block the copy_file_range syscall, though this may break legitimate applications relying on optimized file copying.

---

Sources & References

• Xint.io Blog: Copy-Fail Vulnerability Impacting Linux Distributions
• SOCPrime Threat Research: CVE-2026-31431: Copy-Fail Linux Root Escalation
• Tenable: Frequently Asked Questions about Copy-Fail (CVE-2026-31431)
• RootSecDev GitHub PoC: Exploit for CVE-2026-31431
• Related Artifact Analysis: Linux Account Analysis (passwd, shadow)