< Back to Blog

SUSE responds to the copy.fail vulnerability

April 30, 2026 | By: Marcus Meissner

Share
Share

Copy Fail (tracked as CVE-2026-31431) is a critical vulnerability in the Linux kernel that allows a local non-root user to gain full root access to the system.

It is considered extremely dangerous because it is a pure logic error – unlike other known holes like Dirty Pipe or Dirty COW, it does not require complex race conditions and works with 100% reliability via a tiny script.

Affected versions

Affects almost all major Linux distributions with Linux kernels 4.4 and newer, released since 2017, inclusive of:

  • SLES 15 (all service packs, including Micro 5.x and openSUSE Leap 15.6)
  • SL Micro 6.0
  • SL Micro 6.1 and openSUSE Leap Micro 6.1
  • SL Micro 6.2 and openSUSE Leap Micro 6.2
  • SLES 16.0 and openSUSE Leap 16.0
  • SLES 12 SP5
  • Multi Linux Support aka SUSE Liberty Linux 8, 9 and 10.

SLES 11 (any SP) is unaffected.

How it works: Uses a combination of the splice() system call and the AF_ALG kernel encryption interface. Due to a 2017 optimization bug, the kernel allows a user to write 4 bytes directly to the page cache (file cache) of any file that the user has at least read permission to.

Impact

An attacker can modify the cached memory contents of critical system tools (such as /usr/bin/su) or configuration files (such as /etc/passwd) directly in memory. This allows for the “injection” of malicious code that runs with the highest privileges.

The vulnerability can be exploited stealthy. As shown by the exploit the change can only occurs in RAM (page cache), the file on disk would remain unchanged. Integrity checking tools (checksums) will not detect anything, and after a reboot, any traces of an exploit working disappear.

Workaround

Create /etc/modprobe.d/10-cvs-fix.conf to remediate.


blacklist algif_aead
install algif_aead /bin/false

Resolution

SUSE is currently working on preparing the fixes for each of the affected kernel versions. Updates will be shortly made available and published to our customers.

CVE URL: SUSE CVE-2026-31431 page

Upstream report: https://copy.fail/

Share
(Visited 1 times, 1 visits today)

Related Articles

Jan 24th, 2025

SUSE Achieves AWS ISV Security Software Competency

May 23rd, 2024

K3s: The World’s Most Downloaded and Beloved Kubernetes Distribution

Apr 25th, 2025

SAP Sapphire Madrid 2025 Guide: Pro tips from SUSE

Sep 09th, 2025

Deep Dive: Implementing Seamless SAP Data Management with SUSE and Denodo

Avatar photo
158 views
Marcus Meissner