.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: Linux Kernel LPE - Copy Fail (CVE-2026-31431)
CVE(S)
CVE-2026-31431
PRODUCT(S)
Cloud Optix
Sophos Endpoint
Sophos Central
Sophos Email
Sophos Firewall
Sophos Home
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
SophosLabs Intelix
Updated
2026 May 1
Article Version
1
First Published
2026 May 1
Publication ID
sophos-sa-20260501-copyfail
Workaround
No
Overview
On 29 April 2026, a high-severity vulnerability identified as CVE-2026-31431, also referred to as “Copy Fail”, was publicly disclosed in the Linux kernel. The vulnerability affects the algif_aead component of the kernel’s cryptographic subsystem and is associated with improper handling of in-place operations in the AF_ALG userspace crypto interface. Exploitation requires access to the AF_ALG userspace crypto interface.
The flaw allows a local unprivileged user to perform a controlled write into the kernel page cache of a readable file. Under certain conditions, this can be leveraged to modify the in-memory representation of setuid binaries and achieve local privilege escalation to root.
The issue originates from a logic flaw introduced in 2017 and affects a wide range of Linux kernel versions used across major distributions. Fixes have been released in updated kernel versions that revert the affected behaviour.
Are Sophos products affected?
The following products have been reviewed against the CVE-2026-31431:
| Product or Service | Status | Description |
|---|---|---|
| Taegis | Not affected | Vulnerable code not in execute path |
| Cloud Optix | Not affected | Vulnerable code not in execute path |
| SG UTM (all versions) | Not affected | Vulnerable code not in execute path |
| Sophos Central | Not affected | Vulnerable code not in execute path |
| Sophos Endpoint Protection (Windows) | Not affected | Component not present |
| Sophos Endpoint Protection (macOS) | Not affected | Component not present |
| Sophos Endpoint Protection (Linux) | Not affected | Component not present |
| Sophos Email | Not affected | Vulnerable code not in execute path |
| Sophos Firewall (all versions) | Not affected | Vulnerable code not in execute path |
| SophosConnect Client | Not affected | Component not present |
| Sophos Home (Windows) | Not affected | Component not present |
| Sophos Home (MacOS) | Not affected | Component not present |
| SophosLabs Intelix | Not affected | Vulnerable code not in execute path |
| Sophos Mobile | Not affected | Vulnerable code not in execute path |
| Sophos Mobile EAS Proxy | Not affected | Vulnerable code not in execute path |
| Sophos Mobile Control app (iOS + Android) | Not affected | Component not present |
| Sophos Intercept X for Mobile app (iOS + Android) | Not affected | Component not present |
| Sophos Secure Email app (iOS + Android) | Not affected | Component not present |
| Sophos Secure Workspace app (iOS + Android) | Not affected | Component not present |
| Sophos Chrome Security | Not affected | Component not present |
| Sophos RED | Not affected | Vulnerable code not in execute path |
| Sophos AP/APX (SFOS Managed) | Not affected | Vulnerable code not in execute path |
| Sophos AP/APX (Central Managed) | Not affected | Vulnerable code not in execute path |
| Sophos Wireless | Not affected | Vulnerable code not in execute path |
| Sophos DNS Protection | Not affected | Vulnerable code not in execute path |
| SUSI | Not affected | Component not present |
| AV Engine (all platforms) | Not affected | Component not present |
Related information:
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.