RHSB-2026-002 Cryptographic Subsystem Privilege Escalation - Linux Kernel (CVE-2026-31431) - Copy Fail

Executive summary

A vulnerability, known as "Copy Fail", has been identified in the Linux kernel's cryptographic interface. A user with a local account could trigger the flaw to gain root privileges, such as that of a system administrator.

This issue has been assigned CVE-2026-31431 and has a severity impact of Important. Configuration settings can be used to further mitigate the impact.

Even though the severity is less than Critical, Red Hat has expedited the release of fixes. All fixes are now available. For the most current information, including a complete list of impacted Red Hat products, please refer to the vulnerability's CVE page.

Mitigations

Any hardening measures that limit local access help reduce the risk of exploitation. Examples include disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting oc debug access to trusted cluster administrators. This list is not exhaustive, and the applicability of each measure should be evaluated in the context of your operational requirements and security policies. Additionally, disabling any single access method does not eliminate all other means by which a user could gain local access.

Overall Guidance

This advice is applicable to most Red Hat products.

Warning: there may be performance impacts for modifying functionality that uses kernel cryptographic functions. While the affected module cannot be blocklisted due to being built into the kernel, the affected functions themselves can be blocked using the following boot arguments:

initcall_blacklist=algif_aead_init

Alternatively, the af_alg interface itself can be blocked:

initcall_blacklist=af_alg_init

As a further alternative, the affected algorithm can be blocked:

initcall_blacklist=crypto_authenc_esn_module_init

Product Specific Mitigation Steps

• Red Hat Enterprise Linux
• OpenShift 4
• Managed OpenShift (ROSA Classic / ROSA HCP / ARO / OSD)
• ROSA Classic and OpenShift Dedicated CCS
• ROSA Hosted Control Planes
• ARO
• Advanced Cluster Management Governance Policy

Remediation Timeline

Given the interest in how this vulnerability was disclosed and remediated, the following timeline outlines the key events.

2026-03-23
Reporter privately contacts upstream

2026-03-24
Upstream acknowledges receiving the report

2026-03-25
Upstream/Reporter propose and review patches

2026-04-01
Upstream commits patch to mainline

2026-04-22
CVE published, CVSS is unknown

2026-04-22
Red Hat becomes aware and rates the vulnerability as Moderate

2026-04-25
Upstream assigns CVSS of 7.8

2026-04-29
Reporter posts a blog, technical writeup, and PoC

2026-04-29
Metasploit module published

2026-04-29
Red Hat escalates urgency of releasing fixes

2026-04-30
Red Hat publishes this security bulletin

2026-05-01
CISA adds vulnerability to KEV catalog

2026-05-04
First fix to a Red Hat product (RHEL-9) is released