A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on April 29, 2026. The vulnerability has been assigned CVE ID CVE-2026-31431 and is referred to as Copy Fail. The affected component is a kernel module that provides hardware-accelerated cryptographic functions: algif_aead. The vulnerability affects all Ubuntu releases before Resolute (26.04).

The vulnerability has a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH.

The Ubuntu Security Team has released mitigations which disable the affected Linux kernel module in the kmod package. Linux kernel packages which implement the proposed patch will be released.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. The published exploit executes in this type of deployment.

Container deployments

In container deployments that may execute potentially-malicious workloads, the vulnerability may facilitate container escape scenarios. A proof-of-concept exploit has not been published yet.

Mitigation regression risk

The mitigation disables a kernel module that is used for hardware-accelerated cryptography. Applications should gracefully fallback to userspace cryptographic functions, but there is a risk that some do not have this functionality.

Similarly, already running applications may be affected if the module is disabled and unloaded and a reboot may be required to trigger the fallback functionality.

Affected releases

The vulnerability fix will be distributed through the Linux kernel image packages. A mitigation which disables the affected module is distributed through the kmod package. The mitigation will not be necessary once the kernel is updated.

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table above.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

To obtain the version of the kmod package that contains the mitigation, run the following command and compare the listed version to the table above.

dpkg -l kmod

Security updates

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade kmod

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Rebooting the system will ensure that the mitigation is applied, irrespective of the current state. If this is not possible, ensuring the module is not loaded will suffice and not require a system reboot.

In order to avoid a reboot, first unload the module, in case it is already loaded:

sudo rmmod algif_aead 2>/dev/null 

Check whether the module is still loaded:

grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

Unloading the module could affect currently running applications. Similarly, if it is currently in use, removing the module might fail. In these instances, reboot the system should trigger the applications to fallback to non-accelerated cryptographic functions:

sudo reboot

Manual mitigation (alternative)

If you cannot apply the userspace mitigation through an upgrade of the kmod package, you can configure it manually on your system using the instructions in this section.

Block the module by creating a /etc/modprobe.d/manual-disable-algif_aead.conf file. This is the same action that the kmod update performs.

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/manual-disable-algif_aead.conf

Unload the module, in case it is already loaded:

sudo rmmod algif_aead 2>/dev/null 

Check whether the module is still loaded:

grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

Unloading the module could affect currently running applications. Similarly, if it is currently in use, removing the module might fail. In these instances, a system reboot should trigger the applications to fallback to non-accelerated cryptographic functions:

sudo reboot

Disabling the mitigation

If you have the kmod mitigation installed and wish to disable it due to application compatibility issues, you can comment out the module disabling configuration file and reboot the host:

sudo sed -i 's/^/#/' /etc/modprobe.d/disable-algif_aead.conf

sudo reboot