Detect exposure to CVE-2026-31431 (Copy Fail) and optionally apply a host-level mitigation by disabling the algif_aead kernel module on vulnerable systems.
copyfail-check.sh— checks kernel patch status, runtime module exposure, and mitigation state.- Optional automatic mitigation via
--mitigate. - Human-readable verdict output:
NOT AFFECTED,PATCHED,NOT EXPLOITABLE,MITIGATED,MITIGATED (REBOOT PENDING), orAFFECTED.
| Property | Value |
|---|---|
| CVE ID | CVE-2026-31431 |
| Severity | HIGH (CVSS 3.1: 7.8) |
| Component | algif_aead — kernel AF_ALG AEAD crypto interface |
| Attack type | Local privilege escalation; container escape (no public PoC yet) |
| Affected kernels | 4.14 and later (see below) |
| Disclosed | 2026-04-29 |
A 2017 in-place AEAD optimization (commit 72548b093ee3, kernel 4.14) allows an unprivileged local attacker to obtain a controlled page-cache write primitive against any readable file, enabling privilege escalation to root. In container environments the same primitive may facilitate container escape.
Kernels before 4.14 are NOT affected. This includes Ubuntu's 3.13 kernel (Trusty 14.04 GA) and 4.4 kernel (Xenial 16.04 GA, Trusty HWE) — those predates the vulnerable commit.
| Role | Commit |
|---|---|
| Vulnerability introduced | 72548b093ee3 (kernel 4.14, 2017) |
| Fix — mainline / kernel 7.0 | a664bf3d603d |
| Fix — stable 6.18.x | fafe0fa2995a |
| Fix — stable 6.19.x | ce42ee423e58 |
Distros backport patches with their own commit identifiers. The script searches for the CVE ID in package changelogs, which is more reliable than the upstream hashes for backported kernels.
| Release | linux kernel | kmod mitigation (fixed version) |
|---|---|---|
| Trusty 14.04 | 4.15 kernels only; 3.13 and 4.4 NOT affected | 15-0ubuntu7+esm1 |
| Xenial 16.04 | 4.15 kernels only; 4.4 NOT affected | 22-1ubuntu5.2+esm1 |
| Bionic 18.04 | Affected | 24-1ubuntu3.5+esm1 |
| Focal 20.04 | Affected | 27-1ubuntu2.1+esm1 |
| Jammy 22.04 | Affected | 29-1ubuntu1.1 |
| Noble 24.04 | Affected | 31+20240202-2ubuntu7.2 |
| Questing 25.10 | Affected | 34.2-2ubuntu1.1 |
| Resolute 26.04 | Not affected | No update needed |
The Ubuntu Security Team distributes a kmod package update that writes install algif_aead /bin/false to /etc/modprobe.d/disable-algif_aead.conf. This script creates the same file with the same content and is fully compatible with that approach. Applying the official package update (sudo apt install --only-upgrade kmod) is the recommended path on Ubuntu; this script provides equivalent coverage for non-Ubuntu systems or pre-update triage.
chmod +x copyfail-check.sh
sudo ./copyfail-check.sh # detection only
sudo ./copyfail-check.sh --mitigate # detection + apply mitigation if affectedStream the script straight from main and execute it. The bash -s -- form forwards arguments after -- into the script itself, so --mitigate reaches the script and not bash.
# Detection only
curl -fsSL https://raw.githubusercontent.com/Webhosting4U/Copy-Fail_Detect_and_mitigate_CVE-2026-31431/main/copyfail-check.sh | sudo bash
# Detection + mitigation
curl -fsSL https://raw.githubusercontent.com/Webhosting4U/Copy-Fail_Detect_and_mitigate_CVE-2026-31431/main/copyfail-check.sh | sudo bash -s -- --mitigatewget equivalents:
wget -qO- https://raw.githubusercontent.com/Webhosting4U/Copy-Fail_Detect_and_mitigate_CVE-2026-31431/main/copyfail-check.sh | sudo bash
wget -qO- https://raw.githubusercontent.com/Webhosting4U/Copy-Fail_Detect_and_mitigate_CVE-2026-31431/main/copyfail-check.sh | sudo bash -s -- --mitigateSecurity note. Piping a remote script straight into a privileged shell trusts whatever the URL serves at the moment of execution. For one-off triage that is acceptable; for repeated or production use, pin to a specific commit and inspect the script first:
curl -fsSL https://raw.githubusercontent.com/Webhosting4U/Copy-Fail_Detect_and_mitigate_CVE-2026-31431/<commit-sha>/copyfail-check.sh -o copyfail-check.sh less copyfail-check.sh sudo bash copyfail-check.sh --mitigate
- Running as root
- Kernel version pre-check — kernels before 4.14 exit immediately as
NOT AFFECTED - Kernel patch evidence, in this order — any positive signal is sufficient:
- Debian/Ubuntu kernel-package changelog (searches for all three fix commit hashes and the CVE ID)
- RHEL/Fedora kernel-package changelog (same patterns)
- Loaded kernel livepatches under
/sys/kernel/livepatch/, pluskpatch listandcanonical-livepatch status - Distro CVE tooling:
ubuntu-security-status --cves,dnf updateinfo list cves,zypper patch-check
algif_aeadmodule availability (modinfo) and load state (lsmod)- Existing modprobe-based block rules under
/etc/modprobe.d/— accepts equivalent neutralizers (install … /bin/false|/bin/true|/sbin/nologin) andblacklist; identifies whether the block came from the Ubuntu kmod package - Ubuntu kmod package hint — if the module is unblocked and the system is Ubuntu, reports whether the mitigation package update is available for the detected release
- Active AF_ALG usage via the module's reference count in
/proc/modules(column 3); also flags an OpenSSLafalgengine reference in/etc/sslor/etc/pki/tls - Final risk verdict
| Verdict | Meaning |
|---|---|
NOT AFFECTED |
Kernel predates 4.14, or is patched and module unavailable |
PATCHED |
Kernel changelog/tooling confirms the fix is present |
NOT EXPLOITABLE |
Module not available on this system |
MITIGATED |
Module blocked via modprobe.d; kernel still unpatched — update when possible |
MITIGATED (REBOOT PENDING) |
Block written but module still loaded; unload with rmmod or reboot |
AFFECTED |
Kernel is in vulnerable range and algif_aead is available |
When --mitigate is used on an affected system, the script:
- Creates
/etc/modprobe.d/disable-algif_aead.confcontaininginstall algif_aead /bin/false - Attempts to unload
algif_aeadif currently loaded - Leaves a persistent boot-time block in place
The filename /etc/modprobe.d/disable-algif_aead.conf matches the file written by the official Ubuntu kmod package update, so both approaches are interchangeable and compatible.
- Mitigation is a temporary risk reduction, not a replacement for kernel patching.
- Disabling
algif_aeadis safe for common crypto paths:dm-crypt, LUKS, kTLS, IPsec, default OpenSSL/GnuTLS usage, SSH, and kernel keyring crypto are unaffected. - Applications that explicitly load the OpenSSL
afalgengine will lose hardware acceleration; they should fall back to software crypto, but a reboot may be required to trigger the fallback. - Container workloads: the vulnerability may enable container escape even without a published PoC. Applying the mitigation or kernel patch is recommended regardless of workload type.
| Date | Event |
|---|---|
| 2026-03-23 | Reported to Linux kernel security team |
| 2026-04-01 | Fix committed to mainline |
| 2026-04-29 | Public disclosure |
- Linux host
- Root privileges (
sudoor root shell) - Core tools (always required):
uname,modinfo,lsmod,awk,grep - Optional tools (used when present, in order of authority):
dpkg— Debian/Ubuntu changelog scan and kmod version checklsb_release— Ubuntu release detection for kmod hintrpm— RHEL/Fedora changelog scankpatch/canonical-livepatchand/sys/kernel/livepatch/— live-patch detectionubuntu-security-status,dnf updateinfo,zypper patch-check— distro CVE tooling
.
├── copyfail-check.sh
└── README.md
- copy.fail — official vulnerability page
- Copy Fail across Linux distributions — distribution coverage analysis
- oss-security disclosure — full technical disclosure
- Ubuntu Security Advisory — Ubuntu-specific guidance and fixed package versions
- CVE Record — official CVE entry