Copy Fail (CVE-2026-31431): Linux Kernel Page Cache LPE
Copy Fail is a local privilege escalation vulnerability in the Linux kernel, assigned CVE-2026-31431. It was discovered by Hyunwoo Kim (@v4bel) – the same researcher who later disclosed Dirty Frag, a closely related unpatched vulnerability from the same kernel page-cache class.
CVE Details
See the full technical analysis, CVSS score, EPSS exploitation probability, KEV status, and patch tracking on the CVE-2026-31431 detail page.
Vulnerability class
Copy Fail belongs to the same family as:
| Vulnerability | Year | Researcher |
|---|---|---|
| Dirty Pipe (CVE-2022-0847) | 2022 | Max Kellermann |
| Copy Fail (CVE-2026-31431) | 2026 | Hyunwoo Kim (@v4bel) |
| Dirty Frag (no CVE) | 2026 | Hyunwoo Kim (@v4bel) |
All three bugs exploit incorrect assumptions about page-cache mutability in the Linux kernel. When the kernel shares a read-only page across subsystems and then performs write-back operations (in-place cryptographic processing, copy operations), an unprivileged attacker can abuse this to permanently modify read-only files in RAM – escalating to root.
Impact
An unprivileged local user can overwrite arbitrary read-only files via the Linux page cache, gaining root-level code execution. This class of bug is particularly reliable because it is a logic error rather than a race condition – no timing-sensitive exploitation is required.
Mitigation
Apply the kernel patch for CVE-2026-31431 from your distribution vendor. Check for advisories from:
- Ubuntu: ubuntu.com/security – search for
USNnotices - Red Hat / CentOS / Fedora: access.redhat.com/security
- Debian: debian.org/security
- SUSE / openSUSE: suse.com/security/cve
Related unpatched vulnerability
The same researcher disclosed Dirty Frag on May 7, 2026 – a related Linux kernel LPE with no CVE and no patches yet available. See: Dirty Frag – Linux Kernel LPE (no CVE, no patch)
References
- vuln.today CVE page: CVE-2026-31431
- Researcher: Hyunwoo Kim (@v4bel)
- Related vulnerability: Dirty Frag