On April 29, 2026, the Copy Fail vulnerability (CVE-2026-31431) was publicly disclosed—a Linux kernel local privilege escalation flaw. Cloudflare's security and engineering teams immediately assessed the issue, reviewed the exploit technique, and determined that our existing behavioral detection systems could identify the attack pattern within minutes. Thanks to our proactive kernel update procedures, the vulnerability did not impact Cloudflare's environment, no customer data was at risk, and services remained uninterrupted. Below, we answer key questions about our response and the underlying technology.
What is the Copy Fail vulnerability and when was it disclosed?
The Copy Fail vulnerability, officially designated CVE-2026-31431, is a Linux kernel local privilege escalation flaw. It was publicly disclosed on April 29, 2026. The vulnerability resides in the kernel’s cryptographic subsystem, specifically within the AF_ALG socket family and the algif_aead module. An unprivileged user could exploit this by sending crafted input via system calls like splice() to trigger a use-after-free condition, potentially gaining elevated privileges. The discovery was made public by the security research group Xint Code, who provided a detailed write-up of the exploit technique.
How did Cloudflare initially respond to the disclosure?
As soon as the Copy Fail vulnerability was disclosed, Cloudflare’s Security and Engineering teams sprang into action. They reviewed the published exploit technique, evaluated the exposure across all infrastructure components, and validated that existing behavioral detection tools could identify the exploit pattern within minutes. The teams confirmed that no Cloudflare systems were affected, no customer data was compromised, and no services experienced any disruption. This rapid assessment was possible because Cloudflare had already patched the vulnerability weeks before the public disclosure, thanks to its rigorous Linux kernel update pipeline.
What is Cloudflare’s custom Linux kernel release process and how did it help?
Cloudflare operates a global network across 330 cities, running a custom Linux kernel based on Long-Term Support (LTS) versions from the community. They maintain multiple LTS series simultaneously—for example, versions 6.12 and 6.18. Security and stability updates are merged regularly, triggering an automated build process that generates new internal kernels roughly every week. These builds undergo testing in staging data centers before a global rollout. The Edge Reboot Release (ERR) pipeline then systematically updates edge infrastructure over a four-week cycle. By the time a CVE becomes public, the fix has typically been integrated into stable LTS releases for weeks and already deployed across Cloudflare’s fleet. At disclosure, most infrastructure ran 6.12 LTS, with some machines transitioning to 6.18 LTS.
How does the AF_ALG socket family and kernel crypto API relate to Copy Fail?
The Linux kernel’s internal crypto API handles operations like kTLS and IPsec. Userspace programs interact with it through the AF_ALG socket family, which allows unprivileged processes to request encryption or decryption. The algif_aead module specifically supports Authenticated Encryption with Associated Data (AEAD) ciphers. An unprivileged program typically opens an AF_ALG socket, binds to an AEAD template, sets a key, accepts a request socket, submits input via sendmsg() or splice(), and then executes the operation with recvmsg(). The Copy Fail exploit abused a race condition within these operations, specifically during the splice() call, leading to a use-after-free that could be leveraged for privilege escalation.
Why was Cloudflare’s infrastructure not impacted by Copy Fail?
Cloudflare’s infrastructure was not impacted because the fix for CVE-2026-31431 had already been integrated into the upstream Linux LTS releases and subsequently deployed through Cloudflare’s automated kernel update process. The company’s custom kernel builds, tested in staging environments and rolled out via the ERR pipeline, ensured that all machines—whether running the 6.12 LTS or the newer 6.18 LTS series—received the patch weeks before the public disclosure. Additionally, Cloudflare’s behavioral detection systems were already capable of spotting the exploit pattern, further reducing any residual risk. This combination of proactive patching and monitoring meant no services were disrupted and no customer data was exposed.
What lessons or measures did Cloudflare take from this incident?
The Copy Fail incident reinforced Cloudflare’s commitment to its existing security practices. The company’s rapid assessment confirmed that its automated kernel build and release pipeline effectively mitigated the vulnerability. Key takeaways include the importance of staying aligned with upstream LTS releases, maintaining a regular patching cadence, and using behavioral detection systems to identify novel exploit patterns. Cloudflare also continues to review its infrastructure for any similar attack vectors, such as those involving the AF_ALG subsystem. The incident validated the strategy of deploying fixes long before public disclosure, ensuring that the global network remains resilient against emerging threats without requiring emergency action.