Copy Fail exploit CVE-2026-31431

Stefan_E · April 30, 2026, 8:28am

Apparently, many Linux kernels in the main distributions are affected with the “Copy Fail” exploit (CVE-2026-31431). Will there be a patch, or is PureOS not affected?

I was advised to do

```
echo “install algif_aead /bin/false” > /etc/modprobe.d/disable-algif.conf

rmmod algif_aead 2>/dev/null || true
```

in case there was no patch available, so I did this (and so far nothing weird happened).

So maybe I am ok?!

dos · April 30, 2026, 9:26am

Librem 5 kernel is not affected, and other devices use Debian’s kernel, so the fix will come from Debian.

irvinewade · April 30, 2026, 11:58am

Note the general observation about this exploit: It doesn’t achieve anything on a single-user computer by itself. On a single-user computer it would need to be combined with some other exploit that gives a remote attacker a foothold on your computer (and that includes tricking that single-user into running some dodgy code). From there, this exploit allows a local user to gain root access. At that point, your computer is pwned.

If you have a shared computer and not all users are trusted, or you have a computer where you run untrusted code in some kind of container, you are at greater risk.

You are probably not using AEAD at all, so it should be harmless to disable it. Note that man cryptsetup still lists AEAD as “experimental” (at least as at the kernel version that I am using).

Edit: Correcting this slightly … if you are using AEAD within cryptsetup, you probably aren’t actually using the faulty kernel module … because that module is used to provide access to AEAD within userspace, whereas it is more likely that using AEAD within an encrypting device would use a direct kernel interface. So I am left wondering, purely out of curiosity, who exactly uses this module and for what application?

Here’s what Debian is showing so far: CVE-2026-31431

Or for Ubuntu: CVE-2026-31431 | Ubuntu

Edit: To make matters worse, ubuntu.com disappeared off the internet for many hours, immediately after I posted that link, reportedly due to an Iranian DDoS.

dos · April 30, 2026, 12:10pm

Yes, but it could be used to defeat sandboxing, which in some contexts could matter even on a single-user system.

irvinewade · April 30, 2026, 12:29pm

Covered by second paragraph.

It’s unclear which sandboxing would allow enough access in the first place. Is there a PoC for a sandbox environment?

irvinewade · May 4, 2026, 12:03am

Update: Ubuntu has released an update that simply disables the relevant kernel module (algif_aead), pending a properly fixed, reviewed and tested new version of that module.

The comment says:

This will likely be re-enabled in a subsequent update once an updated
kernel has been deployed.

I assume other distros would be doing something similar.

Too bad if you are in the tiny minority of users who actually use that kernel module. However I did see discussion on the internet opining that the module should not exist today (and perhaps should never have existed). So maybe the module will just disappear.

TiX0 · May 4, 2026, 1:53am

PureOS (Byz) latest kernel has this fixed as of April 30 last