How to Check and Patch the Linux Copy Fail Vulnerability on Your VPS

A 732-byte Python script can give an unprivileged user root access on any Linux server running kernel 4.14 or later. That covers every major distribution shipped since 2017 — Ubuntu, RHEL, Debian, Amazon Linux, SUSE, and Arch.

CVE-2026-31431, dubbed "Copy Fail," was publicly disclosed in late April 2026 with a CVSS score of 7.8. It's a local privilege escalation flaw in the kernel's crypto subsystem that corrupts the page cache to overwrite setuid binaries. No network access needed — any user with shell access can exploit it.

If you run a VPS, this guide walks you through checking whether you're vulnerable and applying the fix.

What Is Copy Fail?

Copy Fail is a logic bug in the Linux kernel's algif_aead module — the AEAD socket interface of the kernel's userspace crypto API (AF_ALG). The vulnerability was introduced in kernel 4.14 in 2017 and went undetected for nearly nine years.

The exploit works by triggering a controlled 4-byte write into the kernel's page cache. The page cache is the kernel's in-memory copy of files read from disk. When the exploit corrupts a cached setuid binary (like /usr/bin/su), the kernel serves the corrupted version to the next process that runs it — granting root access.

The attack has several properties that make it particularly dangerous:

• 100% reliable — Unlike many kernel exploits, Copy Fail is deterministic. No race conditions, no timing dependencies.
• Tiny payload — The entire exploit is 732 bytes of Python. No compiled binaries, no complex toolchains.
• No disk changes — The kernel doesn't mark the corrupted page as "dirty," so the file on disk remains unchanged. Checksum tools won't detect the manipulation.
• Breaks container boundaries — The page cache is shared across the host. A compromised container can potentially corrupt cached files used by other containers on the same machine.

Step 1: Check If You're Vulnerable

SSH into your server and check your kernel version:

uname -r

If your kernel version is 4.14 or later and not in the patched list below, you're vulnerable.

Patched Kernel Versions

The fix was committed to mainline on April 1, 2026. The following kernel versions include the patch:

• 5.10.254 or later (LTS)
• 5.15.204 or later (LTS)
• 6.1.170 or later (LTS)
• 6.6.137 or later (LTS)
• 6.12.85 or later
• 6.18.22 or later
• 6.19.12 or later
• 7.0 or later

You can also check if the vulnerable module is loaded:

lsmod | grep algif_aead

If it returns output, the module is loaded and your system is exploitable.

Step 2: Apply the Immediate Workaround

If a patched kernel isn't available for your distribution yet, disable the vulnerable module immediately.

For Most Distributions (Dynamic Module)

# Prevent the module from loading on boot
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf

# Unload the module if currently loaded
sudo rmmod algif_aead 2>/dev/null || true

# Verify it's no longer loaded
lsmod | grep algif_aead

The last command should return nothing. If it still shows output, the module is in use by another process — you may need to reboot after creating the modprobe config.

For RHEL/CentOS (Built-in Kernel Module)

On Red Hat family distributions, algif_aead is compiled directly into the kernel, so rmmod and modprobe won't work. Instead, add a kernel boot parameter:

# Add to kernel boot parameters
sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

# Reboot to apply
sudo reboot

After reboot, verify the module is blacklisted:

cat /proc/cmdline | grep algif_aead

Step 3: Update Your Kernel

The workaround blocks the exploit but the proper fix is a kernel update. Run the appropriate commands for your distribution:

Ubuntu / Debian

sudo apt update && sudo apt upgrade -y linux-image-$(uname -r | sed 's/-.*//')
sudo reboot

RHEL / CentOS / Amazon Linux

sudo yum update kernel -y
sudo reboot

SUSE

sudo zypper update kernel-default
sudo reboot

Arch Linux

sudo pacman -Syu linux
sudo reboot

After rebooting, verify the new kernel version:

uname -r

Compare the output against the patched versions list above.

Step 4: Check for Signs of Exploitation

Since Copy Fail doesn't modify files on disk, traditional file integrity tools won't detect it. However, you can look for indirect signs:

# Check for unexpected root sessions
last | head -20

# Look for new user accounts
cat /etc/passwd | grep -v nologin | grep -v false

# Check for unauthorized SSH keys
find /root/.ssh /home/*/.ssh -name authorized_keys -exec echo "=== {} ===" \; -exec cat {} \; 2>/dev/null

# Review recent sudo activity
journalctl _COMM=sudo --since "7 days ago" | tail -50

# Check for unexpected cron jobs
for user in $(cut -f1 -d: /etc/passwd); do echo "=== $user ===" && crontab -u $user -l 2>/dev/null; done

If you find anything suspicious, treat the server as compromised and rebuild from a known-good backup.

Why This Matters for Container Hosts

Copy Fail's page cache corruption works across container boundaries because all containers on a host share the same kernel and page cache. A compromised container can corrupt cached setuid binaries used by other containers or the host itself.

This means even if your application container is locked down, a vulnerability in any container on the same physical host could lead to a host-level compromise. This is a fundamental limitation of container-based isolation — containers share the kernel, and kernel bugs affect everyone.

Mitigations for container environments:

• Patch the host kernel — Container-level updates don't fix kernel vulnerabilities. The host must be patched.
• Drop unnecessary capabilities — Run containers with minimal Linux capabilities. CAP_SYS_ADMIN should be avoided unless absolutely necessary.
• Use read-only root filesystems — Prevents the exploit from writing to setuid binaries inside the container.
• Enable seccomp profiles — Restrict the system calls containers can make, potentially blocking the AF_ALG socket creation the exploit requires.

How DeployBase Handles Kernel Security

DeployBase's infrastructure uses automated kernel patching with scheduled maintenance windows. When critical CVEs like Copy Fail are disclosed:

• Immediate workaround — Vulnerable kernel modules are disabled across all host servers within hours of disclosure.
• Patched kernels deployed — Kernel updates are rolled out and hosts are rebooted during maintenance windows.
• Container isolation — Each customer's applications run in dedicated Docker containers with restricted capabilities and seccomp profiles.
• No shared shell access — Unlike traditional shared hosting where many users have shell access to the same server, DeployBase provides per-application SSH access scoped to individual containers.

If you're managing your own VPS, kernel patching is your responsibility. The commands above should take less than five minutes to apply. Don't wait — CVE-2026-31431 exploit code is public and trivial to run.