VSA-2026-013: Copy Fail - Linux Kernel Privilege Escalation (CVE-2026-31431)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-05-04 | 2026-05-04 | 🟠Moderate | 7.8 | XCP-ng 8.3 and XOA |
A local privilege escalation vulnerability in the Linux kernel has been disclosed, dubbed "Copy Fail". For Vates products, we classify the impact as Moderate: XCP-ng and XOA are affected. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
"Copy Fail" (CVE-2026-31431) is a local privilege escalation vulnerability in the Linux kernel's crypto subsystem, specifically in the algif_aead component. The flaw allows an unprivileged local user to exploit AF_ALG sockets combined with splice() to perform unauthorized page-cache modifications, enabling local privilege escalation to root.
The exploit is reported to work across mainstream Linux distributions and requires only unprivileged local user access, it appeared in kernel 4.14.
Impact​
An unprivileged local user can escalate privileges to root:
- This is limited in XCP-ng as very few processes are running as other users than root.
- In XOA that could be more impactful as there are network-available services running as unprivileged users.
Affected Versions​
- XCP-ng 8.3: The XCP-ng kernel is affected.
- XOA: XOA runs on Debian 12 (bookworm).
Mitigation​
It is possible to disable AF_ALG socket creation via seccomp, or blacklist the algif_aead module.
Resolution​
As of 2026-05-04:
- XCP-ng: Under work, not available yet.
- XOA: XOA's unattended update mechanism should already have automatically updated the kernel of XOA VMs with a fixed one.
For the XOA update to be effective, the XOA VM needs to be restarted.
Users running their XOA instance for a long time might be on older versions of debian, the unattended update mechanism keeps the base version and does not upgrade the base Operating System. Only Debian 11 and 12 have updates, people on older versions will need to upgrade their XOA VM.
Credits​
Vulnerability was reported by Taeyang Lee, the fix by Herbert Xu.