Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Copy Fail Exploit?? (URGENT) CVE-2026-31431

Featured Replies

Hi all,

Is Unraid safe?

https://copy.fail/#copy-fail

"Most Linux LPEs need a race window or a kernel-specific offset.
Copy Fail is a straight-line logic flaw — it needs neither.
The same 732-byte Python script roots every Linux distribution shipped since 2017."

CVE-2026-31431

Is there a patch?
Seems ominous.

Thanks!


Francesco.

Edited by francescoragazzi

Solved by elibosley

  • francescoragazzi changed the title to Copy Fail Exploit?? (URGENT) CVE-2026-31431

From the website
"Copy Fail requires only an unprivileged local user account"

unRAID does not have unprivileged local user accounts.

Edited by primeval_god

That answer is not convincing:

There are reports that this also affects Dockers, so it seems HIGHLY relevant.

I understand adding the below “somewhere” (not sure what file) may mititgate for the time being.

Any practical advice appreciated:

printf 'install algif_aead /bin/false\n' | sudo tee /etc/modprobe.d/disable-algif-aead.conf

sudo rmmod algif_aead 2>/dev/null || true

25 minutes ago, daNick73 said:

There are reports that this also affects Dockers

Can you post a link to that? This is not a docker escape issue, AFAIK.

Examples below, happy to stand corrected if I missed what “containerized workload” means in this context

Penligent Security Blog – AI-Driven Hacking Tutorials, Exploit PoCs & Cybersecurity Research
No image preview

Copy Fail CVE-2026-31431, A Linux Kernel Bug That Turns P...

Copy Fail is CVE-2026-31431, a Linux kernel authencesn flaw that turns AF_ALG and splice into a page-cache write primitive. Learn the root cause, real risk, detection limits, and practical mitigation

Xint
No image preview

Copy Fail — 732 Bytes to Root

CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
1 hour ago, daNick73 said:

Examples below, happy to stand corrected if I missed what “containerized workload” means in this context

What matters is that an attacker would need to already be able to execute arbitrary code in your container. If that happens you already have major issues and they probably deleted all the data they could reach from the container without needing this.

By using this if an attacker could also reach the host as an unpriviledged user they could become root - but since if you reach the host in unraid you're already root it basically doesn't change anything.

Looks like 7.2.5 (just released) includes a patch for this CVE.

11 hours ago, Kilrah said:

What matters is that an attacker would need to already be able to execute arbitrary code in your container. If that happens you already have major issues and they probably deleted all the data they could reach from the container without needing this.

By using this if an attacker could also reach the host as an unpriviledged user they could become root - but since if you reach the host in unraid you're already root it basically doesn't change anything.

Can you elaborate?

My understanding is that dockers are generally isolated, meaning a docker is not supposed to interact with the whole system or other dockers,except where permission is granted.

So, in principle, I don’t have to trust the docker not to mess with other parts. Dockers stay in their sandbox.

To me, that was part of the beauty of a docker.

Are you saying, that independent of this issue, docker never provides any type of protection of this nature?

Thx

Edited by daNick73

4 hours ago, daNick73 said:

Are you saying, that independent of this issue, docker never provides any type of protection of this nature?

It not no protection, but its not nearly as secure as some would hope. Particularly in unRAID (which is not designed to be an enterprise container host) where many of the container hardening features like rootless containers, container secrets, seccomp profiles are unused, and many standard linux security features on the host (like non-root users) are also unused.

5 hours ago, daNick73 said:

Can you elaborate?

My understanding is that dockers are generally isolated, meaning a docker is not supposed to interact with the whole system or other dockers,except where permission is granted.

So, in principle, I don’t have to trust the docker not to mess with other parts. Dockers stay in their sandbox.

I never said they would mess with other parts, but with what is intentionally accessible to the vulnerable container.

Edited by Kilrah

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.