CVE-2026-31431 Copy Fail: Rootless Containers Page Cache Attack

On April 29, 2026, security researchers disclosed CVE-2026-31431 (“Copy Fail”), a critical Linux kernel vulnerability that allows any unprivileged user to gain root access with a 732-byte Python script. The 9-year-old flaw affects virtually every Linux distribution since 2017, but its impact on rootless containers like Podman reveals an uncomfortable truth: user namespaces prevent host root escalation, but they don’t prevent container-to-container contamination via the shared page cache. For DevOps teams who’ve been told “rootless equals secure,” Copy Fail proves that’s only half the story.

Rootless Podman Containers: User Namespaces vs Page Cache Attacks

Rootless Podman containers rely on user namespace mapping to prevent privilege escalation. When you launch a container, Podman creates a namespace where container UID 0 (root) maps to an unprivileged host UID like 1000. The Copy Fail exploit runs successfully inside the container, granting “root” privileges—but only within the namespace. On the host, that “root” process remains UID 1000 with zero elevated permissions.

However, the page cache throws a wrench into the “rootless equals safe” narrative. As security researcher Andrea Veri explains, “While rootless containers prevent the attacker from escalating to host root, the page cache is still shared across the host. Containers that re-use the same base image layers share the same cached pages—if a malicious CI job corrupts a binary in the page cache, other containers launched from that same image could end up executing the poisoned version.”

This breaks container-to-container isolation without ever escaping the user namespace. For multi-tenant Kubernetes clusters or shared CI/CD environments, a malicious container can poison base images for other tenants. The attack surface isn’t the host—it’s every other container sharing those image layers.

# Inside rootless Podman container
root@container:/# id
uid=0(root) gid=0(root)

# On host: Container "root" maps to unprivileged user
$ ps aux | grep container-process
alice    12345  0.0  0.1  ...  (container UID 0 = host UID 1000)

# Copy Fail exploit runs → "root" inside namespace
# But on host: Still UID 1000 (unprivileged) → Cannot escape!

CVE-2026-31431 Explained: The 9-Year-Old Linux Kernel Flaw

CVE-2026-31431 is a logic flaw in the Linux kernel’s algif_aead module, introduced in 2017 as a performance optimization for Authenticated Encryption with Associated Data (AEAD) operations. The bug allows a controlled 4-byte write into the page cache via the AF_ALG cryptographic interface. By targeting setuid binaries like /usr/bin/su, an attacker corrupts the in-memory cached version—not the on-disk file—and gains root when a privileged process executes it.

The vulnerability is deterministic, not a race condition. Security firm Theori disclosed it publicly on April 29, 2026, after notifying the kernel team five weeks prior. The mainline kernel patch landed on April 1, 2026, but distributions are still rolling out updates. Affected kernels range from 4.14 (2017) through 6.19.12, with a CVSS score of 7.8 HIGH.

Palo Alto’s Unit 42 put it bluntly: “A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.” That public proof-of-concept means every unpatched system is a sitting duck.

Cloud Provider Response to Copy Fail Vulnerability

Major cloud providers are racing to patch kernels and update security guidance. Azure noted that even though algif_aead isn’t loaded by default on AKS nodes, Linux’s module auto-loading mechanism loads it on demand when any unprivileged container creates an AF_ALG socket. Blacklisting the module doesn’t work if the kernel auto-loads it anyway.

Cloudflare’s security team captured the industry’s reckoning: “Shared-kernel multi-tenancy is riskier than it used to be. Isolation should rely on a hardware-or-VM boundary, not a namespace boundary.” AWS Lambda and Fargate, which use Firecracker microVMs with separate kernels per tenant, are immune to shared page cache attacks. Traditional container platforms aren’t.

Distribution patch status as of May 8, 2026: Arch Linux, Fedora, and Amazon Linux shipped patches at disclosure. SUSE, Red Hat, and Ubuntu are rolling out updates with mitigation guidance published. The security community’s takeaway: user namespaces are one layer of defense, not a complete solution.

How to Mitigate CVE-2026-31431: Patches and Security Measures

The permanent fix is upgrading to kernel 6.19.13 or later, which reverts the 2017 optimization that caused the flaw. Immediate mitigations include blacklisting the algif_aead module, running containers with --security-opt=no-new-privileges, and dropping all capabilities except those explicitly required.

For Kubernetes users, enabling user namespace support for pods (GA in OpenShift 4.20 as of March 2026) adds a critical isolation layer. The specification uses hostUsers: false in the pod security context to map container UIDs to unprivileged host ranges, containing exploits like Copy Fail within the namespace boundary.

# Immediate mitigation before patching
echo "blacklist algif_aead" | sudo tee -a /etc/modprobe.d/copyfail.conf

# Run Podman containers with restricted privileges
podman run --cap-drop=ALL --security-opt=no-new-privileges ubuntu bash

For multi-tenant environments, the bigger question is architectural. Containers sharing base image layers across trust boundaries need VM isolation (Firecracker, Kata Containers) or user-space kernels (gVisor) to prevent page cache contamination. User namespaces alone won’t cut it.

Key Takeaways

• Rootless containers prevent host root escalation but don’t eliminate container-to-container attacks via shared page cache
• CVE-2026-31431 is a 9-year-old deterministic kernel flaw with a public 732-byte exploit—patch to kernel 6.19.13+ immediately
• Cloud providers and the security community agree: shared-kernel multi-tenancy carries more risk than previously acknowledged
• Kubernetes users should enable user namespace support (OpenShift 4.20+) and drop unnecessary capabilities
• Multi-tenant platforms sharing base images need VM or hardware boundaries for true isolation, not just user namespaces

Copy Fail forces a reckoning: “rootless” doesn’t mean “isolated.” It means “no host root.” For organizations running shared container platforms, that distinction matters more than vendor marketing lets on.