The Announcement
Earlier today, the team at Xint Code disclosed a Linux kernel flaw they have named Copy Fail, tracked as CVE-2026-31431. The bug lives in the kernel’s crypto subsystem — a logic flaw in authencesn chained through AF_ALG and splice() — and it lets any unprivileged local user escalate to root with a 732-byte exploit that the researchers report works unmodified across every mainstream distribution built since 2017. Every supported AlmaLinux release is affected.
If you run AlmaLinux on a multi-tenant host, container build farm, CI runner, or any system where untrusted users can get a shell, this one matters.
More information about the vulnerability:
- https://copy.fail/
- https://xint.io/blog/copy-fail-linux-distributions
- https://github.com/theori-io/copy-fail-CVE-2026-31431
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
Patching ahead of our upstream
Security is a top priority at AlmaLinux, and the severity of this flaw — combined with how trivial it is to exploit — meant we did not want to wait. Patches are not yet available from Red Hat, so our core team has built patched kernels using the upstream fix (mainline commit a664bf3d603d, which reverts the 2017 optimization that introduced the bug). The decision to ship these ahead of a CentOS Stream / RHEL update was made by our technical steering committee, ALESCo.
These kernels are available in the testing repository today. After the community has helped verify them, we will release them to the production repositories. This blog post will be updated when that happens. It’s worth mentioning, we generally try to avoid releases on Friday but given the timing of this disclosure and the severity, this update may potentially hit production repositories on Friday or even over the weekend once we’re confident in the testing.
Help us test
It only takes a few steps to install and test the patched kernel from the testing repo.
Install the testing repo
dnf install -y almalinux-release-testing
Update the kernel
dnf update kernel
Reboot to load the new kernel
sudo reboot
Confirm you are running the patched kernel
The patched kernel versions are listed below. Use either of these commands:
uname -r
rpm -q kernel
We don’t recommend keeping the testing repo enabled after you’ve updated, unless you’ve done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command:
dnf config-manager --disable almalinux-testing
If you encounter problems, please let us know as soon as you can, either in AlmaLinux chat, on bugs.almalinux.org.
A note for AlmaLinux Kitten 10 users
AlmaLinux Kitten 10 is itself a development release and does not have a separate testing repository. The patched kernel is shipping directly to Kitten’s regular repository, so there is nothing extra to enable — just update and reboot:
dnf update kernel
sudo reboot
Confirm with uname -r against the Kitten version listed below.
Patched kernel versions
- AlmaLinux 8 is patched in
kernel-4.18.0-553.121.1.el8_10and above - AlmaLinux 9 is patched in
kernel-5.14.0-611.49.2.el9_7and above - AlmaLinux 10 is patched in
kernel-6.12.0-124.52.2.el10_1and above - AlmaLinux Kitten 10 is patched in
kernel-6.12.0-224.el10and above
Thanks
Thanks to Brian Pak and the team at Xint Code for finding, responsibly disclosing, and writing up this vulnerability. His technical write-up is well worth reading if you want to understand how a single logic bug in authencesn becomes a fully reliable local privilege escalation.
Thanks to Andrew Lukoshko of the AlmaLinux core team for turning around patched builds for every supported release on disclosure day, and to ALESCo for moving quickly to approve shipping ahead of upstream. And thank you in advance to everyone in the community who helps us test these kernels — that’s the part that gets them safely into production.
Stay informed
Remaining aware of these vulnerabilities and acting quickly can keep your system and data safe. Follow the AlmaLinux Blog, join the Mattermost Community Chat, and subscribe to Announce and Security Mailing List to stay informed and updated. We will update this post when the patched kernels move from testing to production.
