Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability

Luci Stanescu

on 30 April 2026

A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on April 29, 2026. The vulnerability has been assigned CVE ID CVE-2026-31431 and is referred to as Copy Fail. The affected component is a kernel module that provides hardware-accelerated cryptographic functions: algif_aead. The vulnerability affects all Ubuntu releases before Resolute (26.04).

The vulnerability has a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH.

The Ubuntu Security Team has released mitigations which disable the affected Linux kernel module in the kmod package. Linux kernel packages which implement the fixes have been released.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. The published exploit executes in this type of deployment.

Container deployments

In container deployments that may execute potentially-malicious workloads, the vulnerability may facilitate container escape scenarios. A proof-of-concept exploit has not been published yet.

Mitigation regression risk

Update: The Ubuntu Security Team has released a mitigation when this vulnerability was publicly disclosed as a temporary measure. As Linux kernel packages which implement the fixes are now available, the mitigation will be reverted. Please ensure that you upgrade the Linux kernel package to a fixed version and reboot your system.

The mitigation disables a kernel module that is used for hardware-accelerated cryptography. Applications should gracefully fallback to userspace cryptographic functions, but there is a risk that some do not have this functionality.

Similarly, already running applications may be affected if the module is disabled and unloaded and a reboot may be required to trigger the fallback functionality.

Affected releases

The vulnerability fix is distributed through the Linux kernel image packages. A mitigation which disables the affected module has also been distributed through the kmod package on the disclosure date, as a temporary measure. The mitigation is no longer necessary once the kernel is updated and the kmod update will be reverted. Please ensure that you upgrade the Linux kernel package to a fixed version and reboot your system

Release	Package Name	Fixed Version
Trusty (14.04)	linux	Only 4.15 Azure kernel versions affected. 3.13 and 4.4 kernel kernel versions are not affected.
	kmod	15-0ubuntu7+esm1
Xenial (16.04)	linux	Only 4.15 kernel versions affected. Fixed version: 4.15.0-251.263~16.04.1 4.4 kernel kernel versions are not affected.
	kmod	22-1ubuntu5.2+esm1
Bionic (18.04)	linux	Linux 4.15: 4.15.0-250.262 Linux 5.4 (HWE): 5.4.0-230.250~18.04.1
	kmod	24-1ubuntu3.5+esm1
Focal (20.04)	linux	Linux 5.4: 5.4.0-230.250 Linux 5.15 (HWE): 5.15.0-179.189~20.04.1
	kmod	27-1ubuntu2.1+esm1
Jammy (22.04)	linux	Linux 5.15: 5.15.0-179.189 Linux 6.8 (HWE): 6.8.0-117.117~22.04.1
	kmod	29-1ubuntu1.1
Noble (24.04)	linux	Linux 6.8: 6.8.0-117.117 Linux 6.17 (HWE): 6.17.0-29.29~24.04.1
	kmod	31+20240202-2ubuntu7.2
Questing (25.10)	linux	6.17.0-29-29
	kmod	34.2-2ubuntu1.1
Resolute (26.04)	linux	Not affected
	kmod	No update needed

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table above.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

To obtain the version of the kmod package that contains the mitigation, run the following command and compare the listed version to the table above.

dpkg -l kmod

Security updates

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible and the Linux kernel is installed via a meta package, its update can be targeted directly::

sudo apt update
dpkg-query -W -f '${source:Package}\t${binary:Package}\n' | awk '$1 ~ "^linux-meta" { print $2 }' | xargs sudo apt install --only-upgrade

Once the security updates for the Linux kernel are installed, a reboot is required:

sudo reboot

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:

Applies new security updates every 24 hours automatically.
If you have this enabled, the patches above will be automatically applied within 24 hours of being available, but a reboot is still required.

Manual mitigation (alternative)

If you cannot apply the Linux kernel security updates or the userspace mitigation through an upgrade of the kmod package, you can configure the mitigation manually on your system using the instructions in this section.

Block the module by creating a /etc/modprobe.d/manual-disable-algif_aead.conf file. This is the same action that the kmod update performs.

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/manual-disable-algif_aead.conf

Unload the module, in case it is already loaded:

sudo rmmod algif_aead 2>/dev/null

Check whether the module is still loaded:

grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

Unloading the module could affect currently running applications. Similarly, if it is currently in use, removing the module might fail. In these instances, a system reboot should trigger the applications to fallback to non-accelerated cryptographic functions:

sudo reboot

Disabling the mitigation

If you have the kmod mitigation installed and wish to disable it after installing the Linux kernel security updates or due to application compatibility issues, you can comment out the module disabling configuration file and reboot the host:

sudo sed -i 's/^/#/' /etc/modprobe.d/disable-algif_aead.conf

sudo reboot

Talk to us today

Interested in running Ubuntu in your organisation?