CVE-2026-31431 Copy Fail · SFTP Gateway Support

TLDR - Quick Summary

What: CVE-2026-31431 ("Copy Fail") is a high-severity Linux kernel local privilege escalation vulnerability affecting every kernel released since 2017. CVSS 7.8.

Affected versions: SFTP Gateway 3.8.2 and earlier. The next SFTP Gateway release will include the patched kernel.

Quick Fix: Disable the vulnerable algif_aead kernel module via /etc/modprobe.d/disable-algif-aead.conf, then run sudo modprobe -r algif_aead. No reboot required and no impact on SFTP Gateway functionality.

Note: SFTP users connecting through SFTP Gateway do not get a shell, so the exploit is not reachable via SFTP authentication alone. The realistic exposure is anyone who already has shell or console access on the host.

Overview

CVE-2026-31431 was disclosed on April 29, 2026 as a local privilege escalation flaw in the Linux kernel's algif_aead cryptographic module. An unprivileged local user can perform a deterministic 4-byte write into the page cache of any readable filesystem and use it to flip the setuid bit on a binary, gaining root in seconds. The flaw was introduced in 2017 and affects every Linux distribution shipping a kernel since then.

This article provides remediation guidance for SFTP Gateway 3.8.2 and earlier, running on Amazon Linux 2023 (AWS) and Ubuntu 22.04 / 24.04 LTS (Azure, GCP, Alibaba). The next SFTP Gateway release will ship with the patched kernel baked into the base image; customers who upgrade to that release will not need to apply the mitigation below.

(Last updated 5/5/2026)

Manual Remediation

Apply this mitigation as root on each SFTP Gateway VM. It blocks the exploit immediately, requires no reboot, and has no impact on SFTP Gateway functionality.

sudo tee /etc/modprobe.d/disable-algif-aead.conf >/dev/null <<'EOF'
install algif_aead /bin/false
blacklist algif_aead
EOF
sudo modprobe -r algif_aead 2>/dev/null || true

Verify the module is no longer loaded:

lsmod | grep algif_aead

The command should return nothing.

Other Mitigation Steps

Apply the Distribution Kernel Patch (When Available)

Once Amazon Linux 2023 and Ubuntu publish patched kernel packages, apply them via a normal package upgrade and reboot. As of the publication date of this article, neither distribution has shipped a fix; ThornTech is tracking both advisories.

For AWS (Amazon Linux 2023):

sudo dnf upgrade -y kernel
sudo reboot

For Azure, GCP, and Alibaba (Ubuntu):

sudo apt-get update
sudo apt-get -y full-upgrade
sudo reboot

The reboot will interrupt in-flight SFTP transfers; schedule a maintenance window.

Upgrade to a New SFTP Gateway Release

ThornTech will publish the next SFTP Gateway release (after 3.8.2) with the patched kernel baked into the base image. If you prefer to redeploy from a fresh image rather than patching in place, you can wait for that release.

Track Vendor Advisories

Amazon Linux 2023: https://explore.alas.aws.amazon.com/CVE-2026-31431.html
Ubuntu (22.04 and 24.04): https://ubuntu.com/security/CVE-2026-31431