At the end of April, CVE-2026-31431, dubbed CopyFail, was publicly disclosed. A vulnerability in the algif_aead module allows any local user to gain root, with no race conditions and 100% reliability. It had been sitting in the kernel since 2017.

The key option is CONFIG_CRYPTO_USER_API_AEAD. If it’s enabled (y or m), the system is vulnerable (unless the kernel already has the patch).

But AEAD alone isn’t the only concern. Eric Biggers, maintainer of the kernel’s crypto subsystem, recommended disabling the entire CONFIG_CRYPTO_USER_API_* family, since AF_ALG is an interface most systems don’t need, and it unnecessarily increases the attack surface.

Check with Kernel Checker

Kernel Checker now checks 7 CopyFail-related options:

CONFIG_CRYPTO_USER_API             = is not set
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE = is not set
CONFIG_CRYPTO_USER_API_AEAD        = is not set
CONFIG_CRYPTO_USER_API_HASH        = is not set
CONFIG_CRYPTO_USER_API_RNG         = is not set
CONFIG_CRYPTO_USER_API_RNG_CAVP    = is not set
CONFIG_CRYPTO_USER_API_SKCIPHER    = is not set

All should be disabled. If any is set to y or m, Kernel Checker will flag it as FAIL under the Cut Attack Surface category.

To check:

  1. Open Kernel Checker
  2. Upload your .config file (find it at /boot/config-$(uname -r))
  3. In the results, look for the Cut Attack Surface section and the CRYPTO_USER_API* options

Quick Terminal Check

If you just want to check CopyFail without a full analysis:

grep CONFIG_CRYPTO_USER_API /boot/config-$(uname -r)

Safe output:

# CONFIG_CRYPTO_USER_API is not set

Unsafe:

CONFIG_CRYPTO_USER_API=m
CONFIG_CRYPTO_USER_API_AEAD=m

What to Do If It’s Enabled

Option 1: Block the module (no recompilation)

If the option is set to m (module), you can block it:

sudo tee /etc/modprobe.d/disable-algif.conf << 'EOF'
blacklist algif_aead
install algif_aead /bin/false
EOF

Check if the module is already loaded:

lsmod | grep algif_aead

If it is, you need a reboot.

Option 2: Recompile the kernel

On your next build, disable the entire family:

scripts/config --disable CONFIG_CRYPTO_USER_API
scripts/config --disable CONFIG_CRYPTO_USER_API_AEAD
scripts/config --disable CONFIG_CRYPTO_USER_API_HASH
scripts/config --disable CONFIG_CRYPTO_USER_API_RNG
scripts/config --disable CONFIG_CRYPTO_USER_API_SKCIPHER
make oldconfig
make -j$(nproc)
sudo make modules_install install

Option 3: Wait for your distro’s patch

If you don’t build your own kernel, wait for your distribution’s security update. The fix is in mainline (commit a664bf3d603d). In the meantime, apply option 1.

Who’s Not Vulnerable

If CONFIG_CRYPTO_USER_API_AEAD is disabled, the exploit won’t work because you can’t open an AF_ALG socket with AEAD type. Even if CONFIG_CRYPTO_AEAD=y (kernel’s internal API), without the userspace interface the attacker has no way to reach it.

More about the vulnerability itself: CopyFail: 9 Years of Hidden Privilege Escalation in the Kernel

Full kernel config analysis: Kernel Checker | Part 2: sysctl | Part 3: boot parameters