SUSE responds to the copy.fail vulnerability

Copy Fail (tracked as CVE-2026-31431) is a critical vulnerability in the Linux kernel that allows a local non-root user to gain full root access to the system.

It is considered extremely dangerous because it is a pure logic error – unlike other known holes like Dirty Pipe or Dirty COW, it does not require complex race conditions and works with 100% reliability via a tiny script.

Affected versions

Affects almost all major Linux distributions with Linux kernels 4.14 and newer, released since 2017, inclusive of:

• SLES 15 (all service packs including Micro 5.x and openSUSE Leap 15.6)
• SL Micro 6.0
• SL Micro 6.1 and openSUSE Leap Micro 6.1
• SL Micro 6.2 and openSUSE Leap Micro 6.2
• SLES 16.0 and openSUSE Leap 16.0
• SLES 12 SP5 and older (buggy patch was backported)
• Multi Linux Support aka SUSE Liberty Linux 8, 9 and 10.

Unaffected:

• SLES 11 (any SP) is unaffected. (too old kernel)
• openSUSE Tumbleweed aka Factory has already received a Linux Kernel update to 6.19.12 some days ago with the fix coming from regular stable backports.
• openSUSE Slowroll has already received a Linux Kernel update to 6.18.22 some days ago with the fix coming from regular stable backports.

Kubernetes based distributions

Although SUSE Rancher Prime, SUSE RKE2 and SUSE K3s aren’t directly affected by this vulnerability, because it resides in the Linux kernel, the use of privileged containers by untrustworthy workload and users in your environment can possibly allow the exploitation of this vulnerability. The recommended countermeasure is to use SUSE Security, Kubewarden or native Kubernetes’ PSA/PSS admission control to restrict the use of privileged containers. Consult specific guidance in the following docs:

• Pod Security Standards (PSS) & Pod Security Admission (PSA) for Rancher
• Default Pod Security Standards for RKE2
• Pod Security for K3s

For SUSE Virtualization (Harvester) refer to this Blog article.

How it works: Uses a combination of the splice() system call and the AF_ALG kernel encryption interface. Due to a 2017 optimization bug, the kernel allows a user to write 4 bytes directly to the page cache (file cache) of any file that the user has at least read permission to.

Impact

An attacker can modify the cached memory contents of critical system tools (such as /usr/bin/su) or configuration files (such as /etc/passwd) directly in memory. This allows for the “injection” of malicious code that runs with the highest privileges.

The vulnerability can be exploited stealthy. As shown by the exploit the change can only occurs in RAM (page cache), the file on disk would remain unchanged. Integrity checking tools (checksums) will not detect anything, and after a reboot, any traces of an exploit working disappear.

Workaround

Create /etc/modprobe.d/10-cvs-fix.conf to remediate.


blacklist algif_aead
install algif_aead /bin/false


To remove the module if potentially loaded already, run:

modprobe -r algif_aead || echo "algif_aead module couldn't be removed, try using -f or reboot"

Resolution

Update May 3rd 2026: SUSE has released updates for all maintained SUSE Linux Enterprise and openSUSE Leap distributions.

Further media like updates to Public Cloud images are being worked on.

CVE URL: SUSE CVE-2026-31431 page

Upstream report: https://copy.fail/