On April 29th 2026, researchers at Xint Code published Copy Fail (CVE-2026-31431), a critical Linux kernel vulnerability that lets any local user gain root. The flaw has been present in mainline kernels since 2017 and affects all major distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE.
eComscan will alert if your server is running a kernel that is vulnerable to Copy Fail. In most situations, the fix can only be applied by your server administrator / hosting provider.
Risk for ecommerce stores
Copy Fail requires local code execution to be useful, so a single-user dedicated server is at lower risk. However, the flaw is dangerous on:
- Multi-tenant hosting and shared servers
- Containers and Kubernetes clusters
- CI/CD runners and build hosts
- Any system where untrusted PHP, plugins, or extensions can run
If an attacker first lands a webshell through, for example, a vulnerable Magento extension, Copy Fail lets them escalate from the web user to full root and disable any host-level security tooling. Attackers may then easily gain administrator access, which makes it extremely hard to detect their presence.
How to check
The vulnerability is in the kernel crypto subsystem (algif_aead), reachable through AF_ALG sockets. It was fixed in mainline commit a664bf3d603d.
Check whether your distribution has shipped a patched kernel and reboot into it. Most distros published updates around the disclosure date.
Mitigation
Mitigation requires administrator access, so typically your hosting provider should fix this.
The fastest mitigation, even before patching, is to disable the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
Disabling algif_aead has no impact on regular ecommerce workloads. Only specialised software that explicitly uses the kernel AF_ALG crypto API is affected.
For container hosts running untrusted workloads, also block AF_ALG socket creation through seccomp.
After mitigation, schedule a kernel upgrade and reboot at your earliest convenience. We strongly recommend enabling automatic security updates on your servers.
More information
- copy.fail - official disclosure site
- Theori write-up
- Proof of concept on GitHub
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec Shield
