This document describes a temporary mitigation for the Linux kernel
AF_ALG / algif_aead local privilege-escalation issue commonly
referred to as Copy Fail, tracked publicly as
CVE-2026-31431.
The public write-ups describe the issue as a Linux kernel bug in the
authencesn cryptographic template, reachable through the
AF_ALG userspace crypto socket interface and splice().
The exploit primitive can reportedly be used by an unprivileged local user
to modify page-cache contents of readable files and obtain root through
setuid binaries.
Save the following as mitigate-af-alg-rhel.sh and run it as root.
#!/usr/bin/env bash
set -euo pipefail
echo "install af_alg /bin/false" > /etc/modprobe.d/disable-af_alg.conf
echo "install algif_aead /bin/false" >> /etc/modprobe.d/disable-af_alg.conf
echo "install algif_skcipher /bin/false" >> /etc/modprobe.d/disable-af_alg.conf
modprobe -r algif_aead algif_skcipher af_alg || true
mkdir -p /etc/systemd/system/sshd.service.d
cat >/etc/systemd/system/sshd.service.d/10-no-af-alg.conf <<'EOF'
[Service]
RestrictAddressFamilies=~AF_ALG
EOF
systemctl daemon-reload
systemctl restart sshd.service
On Ubuntu systems the SSH service is normally called ssh.service,
not sshd.service.
#!/usr/bin/env bash
set -euo pipefail
echo "install af_alg /bin/false" > /etc/modprobe.d/disable-af_alg.conf
echo "install algif_aead /bin/false" >> /etc/modprobe.d/disable-af_alg.conf
echo "install algif_skcipher /bin/false" >> /etc/modprobe.d/disable-af_alg.conf
modprobe -r algif_aead algif_skcipher af_alg || true
mkdir -p /etc/systemd/system/ssh.service.d
cat >/etc/systemd/system/ssh.service.d/10-no-af-alg.conf <<'EOF'
[Service]
RestrictAddressFamilies=~AF_ALG
EOF
systemctl daemon-reload
systemctl restart ssh.service
The modprobe.d configuration prevents the affected crypto socket
modules from being loaded on systems where they are modular:
install af_alg /bin/false
install algif_aead /bin/false
install algif_skcipher /bin/false
However, on some enterprise kernels these components may be built directly
into the kernel. In that case they cannot be removed with modprobe -r.
The script therefore uses:
modprobe -r algif_aead algif_skcipher af_alg || trueThe most important runtime protection is the systemd service override:
[Service]
RestrictAddressFamilies=~AF_ALG
This prevents processes started by the SSH daemon from creating
AF_ALG sockets. That blocks this attack path for users who enter
the system through SSH.
On multi-user systems, HPC login nodes, batch systems, or shared servers, consider applying the same override to other services that start user code, for example:
slurmd.servicecrond.servicejupyterhub.servicepodman or container-related services where applicableAfter reconnecting through SSH as an unprivileged user, run the exploit again and verify that you are now unsuccessful in obtaining root:
Traceback (most recent call last):
File "/home/georgiosm/./copyfail.py", line 9, in <module>
while i<len(e):c(f,i,e[i:i+4]);i+=4
~^^^^^^^^^^^^^^
File "/home/georgiosm/./copyfail.py", line 5, in c
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
File "/modules/rhel8/mamba-mf3/envs/2025-01-production/lib/python3.13/socket.py", line 233, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 97] Address family not supported by protocolmodprobe.d if algif_aead is built into the kernel.rm -f /etc/modprobe.d/disable-af_alg.conf
rm -f /etc/systemd/system/sshd.service.d/10-no-af-alg.conf
systemctl daemon-reload
systemctl restart sshd.service
rm -f /etc/modprobe.d/disable-af_alg.conf
rm -f /etc/systemd/system/ssh.service.d/10-no-af-alg.conf
systemctl daemon-reload
systemctl restart ssh.service