From Zero to Root in 732 Bytes: The “Copy Fail” Vulnerability (CVE‑2026‑31431) and How to Lock Down Your Ubuntu Servers Right Now

 

Patched but still worried about CVE-2026-31431 (Copy Fail)? This guide explains the algif_aead bug, shows how to test your Ubuntu systems with concrete commands, provides a production-ready bash automation script, and offers AppArmor/iptables alternatives. 

Stay safe for years with this canonical, high‑value resource.

On April 30, 2026, Ubuntu released a security notice (USN‑8226‑2) that added a crucial mitigation to the kmod package on many older LTS releases. While those notices are time‑stamped, the underlying threat is not going to disappear. 

The vulnerability – tracked as CVE‑2026‑31431 and nicknamed Copy Fail – is a logic flaw in the Linux kernel’s algif_aead module. It allows any local, unprivileged user to elevate their privileges to root with a tiny, 732‑byte Python script.

This article gives you a permanent, evergreen reference. You will learn:

• how to detect the flaw on your Ubuntu systems,

• how to automate the fix using a bash script,

• what to do if you cannot update right now,

• and how to harden your systems against similar kernel‑module attacks in the future.

The advice here will be valid for months or years – no matter when you read it.

1. What Is Copy Fail and Why Should You Still Care?

The Copy Fail vulnerability (CVE‑2026‑31431, CVSS 7.8 – High) resides in the Linux kernel’s cryptographic user‑space API (AF_ALG). The bug is a 4‑byte out‑of‑bounds write into the page cache of any readable file – such as /etc/passwd or a setuid binary. 

By corrupting the in‑memory copy of /etc/passwd, an attacker can give themselves UID 0 and then call su to obtain a full root shell.

Originally disclosed in late April 2026, the vulnerability affects every major Linux distribution since kernel version 4.14 (mid‑2017). The exploit is:

• Deterministic – no race conditions, no guesswork.

• Cross‑distribution – works on Ubuntu, RHEL, Amazon Linux, SUSE, and others.

• Still relevant – any system that missed the mitigation remains fully exposed.

Historical note: The Ubuntu Security Team released a kmod update on 30 April 2026 that blocks the loading of the algif_aead module. The table below shows the fixed kmod versions:

If your system is newer than those releases (e.g. Ubuntu 22.04, 24.04, 25.10, or 26.04), you are not affected, because the kernel itself already contains the proper fix.

2. How to Check If You Are Vulnerable (Actual Commands for Ubuntu)

Run the following commands on your Ubuntu 20.04 LTS (or older) host. If the output matches a line in the “vulnerable” column, you need to act.

bash

# 1. Check your installed kmod version
dpkg -l kmod | grep ^ii

# 2. Check whether the vulnerable module is currently loaded
lsmod | grep algif_aead

# 3. Verify that the module cannot be loaded (safety check)
modprobe --dry-run algif_aead 2>&1 | grep -i "module not found"

Interpretation:

Vulnerable – kmod version is older than the fixed version listed in the table above.

Not vulnerable – kmod version is the fixed version or newer. The module is either absent or explicitly blocked.

Already patched but module still loaded – a reboot is required. An older kernel may still have the module loaded even if the new kmod is present. Run sudo reboot after the update.

For a more thorough vulnerability check, you can use the official detection package from the community:

bash

git clone https://github.com/thrandomv/cve-2026-31431-detection.git
cd cve-2026-31431-detection/auditd
sudo ./cve-2026-31431.rules   # loads audit rules that monitor AF_ALG usage

Source: GitHub – cve-2026‑31431 detection rules

3. Automation Script to Apply the Fix (Bash, Ubuntu Compatible)

The script below does everything you need on an Ubuntu 20.04 LTS or older machine: updates the kmod package, applies the mitigation, unloads the vulnerable module if it is still present, and persists the block across reboots.

Place the script in a file (e.g. fix-copyfail.sh), make it executable (chmod +x fix-copyfail.sh), and run it with sudo.

bash

#!/bin/bash
# fix-copyfail.sh – fully automate the CVE‑2026‑31431 (Copy Fail) mitigation
# for Ubuntu 14.04/16.04/18.04/20.04 LTS.
# Usage: sudo bash fix-copyfail.sh

set -euo pipefail

echo "[*] Updating package list and upgrading kmod (this may require Ubuntu Pro if needed)..."
sudo apt update
# For older releases, kmod updates may be in Ubuntu Pro. If you get a 404, enable Pro first.
sudo apt install --only-upgrade kmod -y || {
    echo "[!] Standard update failed; attempting with Ubuntu Pro sources (if enabled)."
    sudo apt install --only-upgrade kmod -y || echo "[-] Run 'sudo apt update && sudo apt upgrade' manually."
}

echo "[*] Forcing module block in case the mitigation has not been applied yet..."
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf

echo "[*] Unloading the module if it's currently loaded..."
sudo rmmod algif_aead 2>/dev/null || true
sudo rmmod authencesn 2>/dev/null || true

echo "[*] Updating initramfs to make the block persistent..."
sudo update-initramfs -u

echo "[*] Verification: trying to load the module (should fail)."
if sudo modprobe algif_aead 2>&1 | grep -q "Operation not permitted"; then
    echo "[✓] SUCCESS: algif_aead is blocked. Your system is protected."
else
    echo "[!] WARNING: algif_aead could still be loaded. Reboot and re-run verification."
fi

echo "[*] You should reboot now to ensure all protections take effect."

What the script does, line by line:

 1. Updates the kmod package – installs the fixed version (from the Ubuntu Security Notice).

 2. Adds a module blacklist – creates /etc/modprobe.d/disable-algif-aead.conf with install algif_aead /bin/false, which prevents the module from ever loading.

3. Unloads the module if it is already in memory (rmmod algif_aead).

4. Updates the initramfs – ensures the blacklist is available very early in the boot process.

5. Verifies the fix – tries to load the module; a proper block returns “Operation not permitted”.

Note: On Ubuntu 14.04 and 16.04, the fixed kmod versions are only available in Ubuntu Pro. The script will still work, but you must enable Ubuntu Pro first (free for up to 5 machines). Alternatively, the manual echo "install algif_aead /bin/false" step alone is enough to block the vulnerability, even without updating kmod. However, updating is always the preferred action.

A simpler, more aggressive mitigation script (which unloads the module and blacks it out without a reboot) is also available from the community:

bash

curl -s https://gist.githubusercontent.com/GottZ/7cb012306afcb77f31b34fb62158d9c3/raw/cve-2026-31431-mitigate.sh | sudo bash

Source: Gist – ad‑hoc Copy Fail mitigation

Build a Proper Lab to Test Mitigations (Affiliate Product Recommendation)

To understand kernel‑module vulnerabilities like Copy Fail, you need a safe, isolated laboratory. The best way to learn is by breaking things – then fixing them – in a controlled environment.

• A fantastic starter lab is the Raspberry Pi 5 Desktop Kit. It includes:

• A Raspberry Pi 5 board (8 GB RAM recommended),

• A micro‑SD card with pre‑loaded Ubuntu,

• A case, power supply, and cables.

You can install Ubuntu Server or any other Linux distribution, replicate the Copy Fail vulnerability on an older kernel, and practice with the blacklist and audit scripts without touching production systems. 

The low power consumption also means you can leave it running 24/7 as a small monitoring box.

👉 Raspberry Pi 5 Desktop Kit (8GB) – perfect for building your Linux security laboratory.  ->  https://amzn.to/4t3BLkT

Why this helps: You cannot truly learn system hardening without a playground. This kit gives you a real, dedicated Linux machine that costs pennies to run. Practice writing AppArmor profiles, test module blacklisting, and even simulate the algif_aead exploit – all without any risk to your day‑to‑day servers.

As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing .

4. Alternative Mitigation If You Can’t Update Right Now

Sometimes you cannot run apt upgrade immediately – maybe the system is in a change‑controlled environment, or you are waiting for a maintenance window. Here are three drop‑in mitigations that take effect instantly and survive reboots.

4.1 Kernel Module Blacklist (No Reboot Required)

This is the fastest and most reliable method. Run as root:

bash

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

Even if you never update kmod, this blacklist prevents the vulnerable module from being loaded, which completely blocks the exploit. The module will never come back, even across reboots.

4.2 AppArmor Profile to Restrict AF_ALG Socket Creation

AppArmor is installed and enabled by default on Ubuntu. You can create a profile that denies the creation of AF_ALG sockets (family 38) for all unconfined processes. Add the following to /etc/apparmor.d/tunables/global:

text

deny capability sys_module,
deny af_alg,

Then reload AppArmor:

bash

sudo apparmor_parser -r /etc/apparmor.d/tunables/global

This is a broader block that stops any program from using the AF_ALG interface – good for shared hosting or multi‑tenant environments. Keep in mind that AppArmor itself has had its own vulnerabilities (e.g. the “CrackArmor” bugs), so this is a secondary measure, not a primary fix.

4.3 iptables / nftables to Block AF_ALG Locally

This is the most drastic option: kernel sockets are not easily filtered by iptables, but you can use seccomp to block the socket(AF_ALG, …) syscall for all user processes. This requires building a small seccomp filter and is more complex. For most administrators, the blacklist method (4.1) is far simpler and equally effective.

Recommendation: Always prefer the kmod update and the blacklist. The alternative mitigations are useful only as temporary patches until you can run the full update.

Keep Learning: Master Linux Security with a Trusted Book

For deeper, long‑term knowledge that stays relevant, books are still the best investment. A single good book can teach you the principles that protect against an entire class of vulnerabilities – not just one CVE.

I highly recommend “Mastering Linux Security and Hardening -Third Edition"   on Amazon  (  https://amzn.to/4tJOfj3 ),  ” by Donald A. Tevault. It covers:

• Securing user accounts,

• File system and kernel hardening,

• Configuring firewalls (iptables/nftables),

• Understanding and writing AppArmor and SELinux policies,

• Detecting vulnerabilities before they are exploited.

This book will help you understand why the Copy Fail bug was possible and how to design systems that are resilient against similar logic flaws. It is a one‑time purchase that pays for itself many times over.

As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing .