A newly disclosed Linux kernel vulnerability, CVE-2026-31431 (“CopyFail”), gives any unprivileged local user an instant, unconditional root shell on virtually every Linux distribution shipped since 2017 – including Ubuntu, RHEL, Amazon Linux, and SUSE.
Unlike previous high-profile kernel exploits, the entire proof-of-concept is a 732-byte Python script using only the standard library. It exploits a logic flaw in authencesn to perform a controlled page-cache write, patching any setuid binary in memory without touching disk – bypassing file integrity tools and crossing container boundaries.
Exploitation requires only an unprivileged local shell; no race condition, no kernel offsets, no compiled payload.
Immediate action required. As a stopgap, disable algif_aead via modprobe (details):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aeadThen prioritize kernel patching to 6.18.22+, 6.19.12+, or 7.0+.
Note that some distributions – including Debian – had not released a patched kernel as of 2026-04-30 03:00 UTC; monitor your vendor’s security advisories closely (Debian tracker).
CI runners, shared hosts, and Kubernetes nodes are highest priority.