CVE-2026-31431 (Copy Fail)
Status: Advisory Affected products: TrueNAS CE/Enterprise (CE and Enterprise) Severity (TrueNAS-adjusted): Medium Upstream severity: High (local privilege escalation in Linux kernel)
CVE-2026-31431, publicly disclosed as “Copy Fail,” is a vulnerability in the Linux kernel’s AF_ALG userspace cryptographic interface. It affects the authencesn AEAD template combined with the AF_ALG socket family’s in-place buffer optimization and splice path. An unprivileged local user with the ability to open AF_ALG sockets and invoke splice() against a file descriptor can produce a controlled write into the kernel page cache. By targeting the cached pages of a setuid binary, an attacker can corrupt that binary’s executable image and obtain root privileges on the host kernel when the binary is next executed.
The vulnerability resides entirely in the kernel’s crypto subsystem and is not specific to any TrueNAS feature, service, or middleware path.
TrueNAS CE/Enterprise ships a Debian-derived Linux kernel that includes the affected authencesn template and the AF_ALG userspace interface. Per the SCALE kernel configuration (CONFIG_CRYPTO_USER_API_AEAD=m, CONFIG_CRYPTO_AUTHENC=m), these components are loadable modules. They are autoloaded on demand the first time any local process issues socket(AF_ALG, ...) followed by bind() against an AEAD algorithm, so all running TrueNAS CE/Enterprise systems on unpatched kernels expose the vulnerable code surface to any local process that exercises that path.
TrueNAS does not use the AF_ALG AEAD interface (the surface affected by CVE-2026-31431) in any shipped storage, replication, encryption, networking, sharing, or middleware function. The TrueNAS middleware, Samba, SSSD, nfs-utils, OpenSSH, and OpenZFS, data paths all transit either the in-kernel crypto API directly or userspace cryptographic libraries (OpenSSL, GnuTLS, MIT krb5); none of these paths open algif_aead sockets.
The mitigation specified below disables only the algif_aead initcall.
The vulnerability requires local code execution on the TrueNAS host as a precondition. It is not remotely exploitable. It does not enable network-borne attacks against SMB, NFS, iSCSI, NVMe-oF, S3, or the WebUI/API (midclt) from off-host clients. There is no exposure to TrueNAS storage clients, virtualization guests reachable only via shared protocols, or remote administrators authenticated through the WebUI.
In a stock TrueNAS appliance deployment — a dedicated storage node administered through the WebUI by trusted operators, with no untrusted shell users, no third-party container or VM workloads, and no public-facing services granting code execution — the practical risk introduced by this vulnerability is low. An attacker capable of running arbitrary local code on a TrueNAS host has already breached the system’s principal trust boundary; the additional escalation from non-root local user to root via this kernel flaw provides only a marginal increase in attacker capability.
The risk is materially higher in deployments that intentionally permit untrusted local code execution on the TrueNAS host. The relevant scenarios are:
- TrueNAS hosts running user-supplied applications, sandboxes, or containers where a tenant could obtain a non-root shell.
- TrueNAS hosts running guest virtual machines configured with shared kernel features (paravirtualized constructs that expose the host kernel ABI to the guest); standard hardware-virtualized guests under KVM are not affected.
- TrueNAS hosts where multiple administrators with non-root local accounts are provisioned and where privilege separation between those accounts is part of the security model.
For these deployments, TrueNAS classifies the exposure as moderate and recommends prompt mitigation.
The published proof-of-concept targets /usr/bin/su. TrueNAS CE/Enterprise includes su, sudo, and other setuid binaries in the standard system path; the exploit primitive is therefore directly portable to TrueNAS without modification. The exploit does not require any TrueNAS-specific prerequisite, configuration, or feature.
Setuid binaries stored on ZFS are not exploitable via this primitive. ZFS implements splice_read using copy_splice_read, which allocates fresh pipe-buffer pages and copies file data into them rather than handing the pipe references to the file’s cached pages. The 4-byte page-cache write the exploit produces therefore lands in ephemeral pipe-buffer pages and leaves the underlying ZFS-resident file unchanged.
The TrueNAS HA pairing model uses configuration replication between controllers. A mitigation applied through system.advanced.update propagates to the standby controller and survives controller failover. A mitigation applied only at runtime (for example, via rmmod or temporary modprobe.d entries) does not propagate and does not survive a reboot or controller failover.
The following mitigation is available for customers who have not yet upgraded to TrueNAS 25.10.3.1.
Persistent mitigation (recommended): Disable the kernel algif_aead initcall via the supported advanced-settings interface. This single command applies to the running configuration and persists across reboots and HA failover:
midclt call system.advanced.update '{"kernel_extra_options": "initcall_blacklist=algif_aead_init"}'
A reboot is required for the kernel parameter to take effect. After reboot, the AF_ALG AEAD interface is unavailable and the vulnerable code path cannot be reached from userspace. No TrueNAS feature is degraded by this change.
Verification:
cat /proc/cmdline | grep initcall_blacklist
dmesg | grep -i 'blacklisting initcall algif_aead_init'
Reversion (after upgrading to TrueNAS 25.10.3.1 or later):
midclt call system.advanced.update '{"kernel_extra_options": ""}'
The upstream kernel patch is included in TrueNAS 25.10.3.1. Customers running 25.10.3.1 or later do not require the mitigation and may revert it if previously applied. Customers on earlier releases should apply the mitigation above and upgrade at the earliest opportunity. TrueNAS customers should monitor the security advisory page at https://security.truenas.com .
- Upstream technical writeup: https://xint.io/blog/copy-fail-linux-distributions
- Public proof-of-concept: https://github.com/theori-io/copy-fail-CVE-2026-31431
- Red Hat advisory (related platform): RHSA-2026:3855
- TrueNAS security advisories: https://security.truenas.com