Submit finding

All findings

CVE-2026-31431 high

CopyFail: Linux kernel page-cache write to root found with Xint Code

CVE-2026-31431 is a Linux kernel AF_ALG/authencesn logic bug that gives an unprivileged local user a controlled 4-byte page-cache write and a reliable path to root on affected systems.

Bug class
Incorrect resource transfer -> page-cache corruption -> local privilege escalation
Affected codebase
Linux kernel crypto subsystem
Credited system
Xint Code
Disclosed
April 29, 2026
Attribution
Direct source attribution
Severity
high
Source status: Direct Xint/Theori write-up names Xint Code and describes the operator prompt. Kernel patch credits Taeyang Lee. NVD records CVSS 7.8 high and CISA KEV status.

Summary

CopyFail is a Linux kernel local privilege escalation in the AF_ALG AEAD path. The vulnerable path lets unprivileged userspace feed page-cache-backed file data through splice() into the crypto subsystem, then trigger an authencesn scratch write that lands in the page cache of a readable file.

The result is a deterministic, controlled 4-byte in-memory write. The file on disk is unchanged, but the page-cache copy is what later reads and execve() observe. Xint’s public write-up demonstrates using that primitive against a setuid binary to obtain root on tested Ubuntu, Amazon Linux, RHEL, and SUSE systems.

NVD records the kernel.org CNA score as CVSS 7.8 high. CISA added the issue to the Known Exploited Vulnerabilities catalog on May 1, 2026, with a May 15, 2026 due date for covered federal agencies.

How Xint Code found it

This is the key bugflation detail. Xint says the finding was AI-assisted, but it did not begin from a blank prompt. Theori researcher Taeyang Lee had prior kernelCTF work on AF_ALG and recognized that AF_ALG + splice() creates a path where unprivileged userspace can pass page-cache references into the crypto subsystem.

The Xint Code operator prompt then directed the system at the Linux crypto/ subsystem, asked it to examine code paths reachable from userspace syscalls, and called out the splice/page-cache observation. Xint says the scan completed after about an hour and CopyFail was the highest-severity output.

That workflow is exactly what bugflation is about: human insight points at the right region of a mature codebase; an AI system scales the investigation across the subsystem; the output is a concrete, high-impact vulnerability rather than a generic static-analysis warning.

Root cause

The Linux fix reverts the AF_ALG AEAD path to out-of-place operation. The vulnerable in-place design chained tag pages from the transmit scatterlist into the receive scatterlist, which could include page-cache pages supplied through splice(). authencesn then used the destination scatterlist as scratch space and wrote beyond the intended output boundary.

The kernel commit explicitly says there is no benefit to operating in-place because source and destination come from different mappings. Removing that in-place complexity eliminates the page-cache pages from the writable destination scatterlist.

Why it matters

CopyFail is the current best example of bugflation because it combines all of the important ingredients:

It is not “AI found everything alone.” It is more serious than that. It shows that an expert with a sharp observation can now amplify that observation across large kernel surfaces quickly enough to change the defender’s timeline.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.