Copy Fail vulnerability in Linux

Copy Fail: what you need to know and how to stay protected

A newly disclosed vulnerability in the Linux kernel, referred to as CVE-2026-31431 (Copy Fail), has been making waves across the industry.
And for good reason: it allows a local user to escalate privileges to root access within seconds on most major Linux distributions.

At Tilaa, we take security seriously.
In this blog, we’ll explain what’s going on, what the risks are and (most importantly) what you can do about it.
We’ll also share how we have already addressed this issue from Tilaa’s side.

What is the Copy Fail bug?

The Copy Fail vulnerability originates from code introduced in Linux kernel 4.14 back in 2017. Despite being present for nearly nine years, it remained unnoticed until its public disclosure in 2026.

Now that a reliable public exploit is available, the risk is no longer theoretical, it’s practical and immediate.

Who is affected?

This vulnerability impacts a broad range of systems:

All Linux systems running kernels from 4.14 up to 7.0
This means all Linux VPS installed via My Tilaa before 4 May 2026 are affected.
Especially if one of the below applies to you:

• Multi-user environments and shared systems
• Container hosts (especially LXC environments)

If your system hasn’t been patched, it should be considered vulnerable.

What can you do right now?

If you manage your own systems, applying updates or mitigations is critical. Below are the official resources per distribution:

Distribution-specific fixes

• Arch Linux
  https://security.archlinux.org/CVE-2026-31431
• Debian
  https://security-tracker.debian.org/tracker/CVE-2026-31431
• Ubuntu
  https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
• Gentoo
  https://bugs.gentoo.org/show_bug.cgi?id=CVE-2026-31431
• AlmaLinux
  https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/
• Rocky Linux / RHEL-based
  https://access.redhat.com/security/cve/cve-2026-31431

Special note: CentOS 8 (End of Life)

CentOS 8 does not have an official fix. If upgrading is not an option, apply this mitigation:

grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot

How to verify if your system is safe

Run the following checks:

RHEL-based systems

rpm -q --changelog kernel-core | grep -i '31431\|algif_aead\|Copy Fail'

Debian / Ubuntu

modprobe -n -v algif_aead

Expected output:

install /bin/false

Tilaa’s approach: proactive, secure and future-proof

At Tilaa, we don’t just react, we anticipate.

✅ All VPS deployments after 4 May 2026 are not vulnerable (images have been rebuilt)

This means that new environments are secure by design and existing ones are actively being improved.

Final thoughts

Any Linux system running an unpatched kernel between 4.14 and 7.0 should be considered vulnerable. With a working exploit already available, immediate action is strongly recommended.

At Tilaa, we make sure our customers don’t have to worry about these risks. By combining proactive security updates with a forward-thinking infrastructure strategy, we keep your environments safe—so you can focus on what matters.

If you have questions or want help securing your systems, we’re here for you.