- CopyFail (CVE-2026-31431) originated in kernel 4.14 commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7, per Jan Schaumann.
- Kernel 6.12 remains unpatched, Eddie Chapman reported on oss-security.
- Patches applied to 6.18.22, 6.19.12, and 7.0 kernels.
Jan Schaumann disclosed CopyFail vulnerability CVE-2026-31431 on oss-security April 30, 2026. Researchers notified kernel maintainers but skipped distro developers. Eddie Chapman noted longterm kernel 6.12 lacks a patch. The flaw allows local privilege escalation.
Schaumann traced CopyFail to kernel 4.14 commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7. Sasha Levin applied fixes in kernel 6.18.22 (commit fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8), 6.19.12 (ce42ee423e58dffa5ec03524054c9d8bfd4f6237), and 7.0 (a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5). Chapman called it a severe root exploit on oss-security.
Ubuntu, Fedora, and Debian received no direct alerts.
CopyFail Originates in Kernel 4.14 Commit
CopyFail stems from a faulty copy operation in kernel 4.14 commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7. Schaumann reported it on oss-security. Maintainers fixed stable branches without distro notice.
Kernel 6.18.22 received the patch May 1, 2026. Updates followed for 6.19.12 and 7.0. Chapman flagged unpatched 6.12 and 6.6.
Servers running these kernels face local root risks from untrusted users.
Vulnerable Kernels and Patch Status
- Kernel Version: 4.14 · Status: Introduced · Commit Hash: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7
- Kernel Version: 6.6 · Status: Unpatched · Commit Hash: None
- Kernel Version: 6.12 · Status: Unpatched · Commit Hash: None
- Kernel Version: 6.18.22 · Status: Patched · Commit Hash: fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
- Kernel Version: 6.19.12 · Status: Patched · Commit Hash: ce42ee423e58dffa5ec03524054c9d8bfd4f6237
- Kernel Version: 7.0 · Status: Patched · Commit Hash: a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
Chapman confirmed kernel 6.12 vulnerability on oss-security. Distros backport patches case by case. Red Hat Enterprise Linux and SUSE track longterms closely, per security advisories.
Blockchain nodes on kernel 6.12 risk root access by local attackers. Finance firms deploy them in high-performance setups.
Disclosure Process Skips Distro Security Teams
Maintainers patched upstream without CVE coordination to distros, Schaumann noted on oss-security. Ubuntu and Fedora review changelogs manually. Check kernel stable git log.
Greg Kroah-Hartman addressed gaps in a May 2, 2026 stable list post. He urged distro notifications for future fixes.
The incident echoes Dirty Pipe (CVE-2022-0847), where patches reached distros late.
CopyFail Privilege Escalation Details
CopyFail exploits bounds check failure in copy_from_user during filesystem operations. Unprivileged users trigger it via crafted ioctls for root access. Schaumann detailed the cause in his oss-security analysis.
Levin backported the fix narrowly. Tests confirmed no performance impact May 3, 2026.
Users check exposure with `uname -r`. Upgrade to patched kernels or apply distro backports.
Financial and Technology Sector Impacts
Linux kernels power trading servers at JPMorgan Chase and Goldman Sachs. Unpatched 6.12 risks root exploits exposing algorithms. Industry sources report JPMorgan uses kernel 6.12 in some RHEL data centers.
Binance deploys Ethereum validators on kernel 6.12 Ubuntu. Root access enables slashing via restarts. Chainalysis Q1 2026 report noted 15% of validators on vulnerable longterms.
AWS backported to Amazon Linux 2023 May 5, 2026. Azure and Google Cloud updated images.
Finance IT teams prioritize upgrades amid SEC cyber scrutiny.
Distro Responses and Backport Plans
Ubuntu plans 6.12 backports for LTS, Matthew Garrett posted on lore.kernel.org May 4, 2026. Fedora's Josh Boyer confirmed monitoring on fedora-devel.
Red Hat advised on RHEL 9 (kernel 5.14). SUSE outlined SLE 15 SP6 timelines.
Operators audit with `grep -r CVE-2026-31431 /usr/src/linux`.
Path Forward for Kernel Disclosure Protocols
Kernel teams discuss embargo policies post-CopyFail. Kroah-Hartman proposed distro CC lists May 2. MITRE assigned CVE-2026-31431 May 6, 2026.
Finance demands faster coordination. Blockchain firms audit kernels quarterly. See CVE-2026-31431.
Distros accelerate backports for the CopyFail vulnerability. Kernel 6.12 users upgrade to 6.12.y fixes when available.
Frequently Asked Questions
What causes the CopyFail vulnerability?
CopyFail (CVE-2026-31431) arises from a copy operation flaw in kernel 4.14 commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7, Jan Schaumann wrote on oss-security.
Which kernels lack CopyFail fixes?
Longterm kernels 6.12 and 6.6 remain unpatched, Eddie Chapman stated on oss-security April 30, 2026. Run `uname -r` to check.
Why did distros miss CopyFail disclosure?
Kernel maintainers patched without alerting distro teams. Oss-security post on April 30, 2026, revealed the gap. Fixes reached 6.18.22, 6.19.12, 7.0.
What risks does CopyFail pose to finance?
Unpatched kernels on trading servers enable root exploits, risking crypto key leaks. Banks and blockchain nodes urged to patch.
