FAQ: Is the zenon Software Platform affected by CVE-2026-31431 (CopyFail)
Quick Information:
- Affects most Linux kernels released from about 2017 up to patched releases; widely present across distributions
- The vulnerability lies in a logic flaw in the kernel crypto path (AF_ALG / algif_aead), enabling deterministic local privilege escalation
- The zenon Software Platforms' Container Images don't contain Linux kernels; Asset Owners are advised to check the underlying Linux infrastructure on which the zenon Software Platform is deployed
As a software manufacturer, COPA-DATA takes security and the protection of its customers and partners very seriously.
What is the vulnerability called "CopyFail"?
CopyFail (CVE-2026-31431) is a local privilege escalation vulnerability in the Linux kernel’s userspace crypto interface. It stems from an unsafe in‑place optimization introduced in 2017 inside the AF_ALG/algif_aead code path. By abusing the interaction between the AF_ALG socket interface and the splice() system call, an unprivileged local actor can force a small, controlled overwrite into the kernel page cache of any readable file. Because the overwrite occurs only in memory, the on‑disk file is unchanged, but running binaries or kernel‑managed structures can be corrupted in a way that gives the attacker root privileges.
Key properties
- Attack vector is local and requires only the ability to execute code as an unprivileged user on a vulnerable kernel with the affected crypto module enabled.
- Not remotely exploitable by itself, but extremely dangerous when combined with any initial access (SSH, container or CI job, compromised build runners, etc.).
- Exploits are compact, reliable, and deterministic (no complex races), and the shared page cache makes container breakout and cross‑tenant impact possible.
How is the zenon Software Platform deployment impacted by "CopyFail"?
Linux Kernels are not being delivered by Ing. Punzenberger COPA-DATA GmbH as part of the container images for the zenon Software Platform on Linux. Therefore the zenon Software Platform is not directly affected by this vulnerability. COPA-DATA still recommends Asset Owners or System Integrators deploying the zenon Software Platform on Linux to check the underlying Linux infrastructure if it is affected by CopyFail (CVE-2026-31431).
Recommended Mitigations
Practical mitigations summary:
- Apply official kernel patches and reboot nodes.
- If patching is not yet possible, disable or block AF_ALG usage for untrusted workloads.
- Treat any container RCE as a node compromise, isolate and recycle nodes, and review multi‑tenant hosts for signs of misuse.
Inventory and prioritization
Identify systems running vulnerable kernels and whether the algif_aead/AF_ALG facility is available. Prioritize internet‑facing hosts, and multi‑tenant nodes.
Patch and upgrade
Apply vendor kernel updates immediately where available and reboot nodes as required. If a vendor patch is not yet applied, treat the system as high risk and apply interim controls (see below).
Interim controls
Prevent untrusted workloads from creating AF_ALG sockets (use seccomp/BPF in container runtimes or platform policies).
Blacklist or unload the affected kernel module where feasible (add a modprobe blacklist entry and schedule a reboot during maintenance windows).
Assume any container RCE indicates possible host compromise: isolate affected containers/nodes and replace them rather than attempting in‑place remediation.
Review logs and recent process activity for signs of local escalation.
Hardening recommendations
Enforce seccomp/BPF filters to deny socket/bind operations that can create AF_ALG sockets for untrusted workloads.
Disable unprivileged user namespaces where practical.
Reduce container capabilities and lock down mount namespaces to least privilege.
Apply network segmentation and access controls to limit which users and jobs can run arbitrary code.
References
- NVD - CVE-2026-31431
- Copy Fail — CVE-2026-31431
- Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. - Xint
The content of these links is not managed by Ing. Punzenberger COPA-DATA GmbH.
Related Articles
FAQ: CD_SVA_2022_1: Vulnerability in zenon Software platform
Summary COPA-DATA received a report from Security Researcher Ruben Santamarta detailing a security vulnerability for the zenon Logging Service which is part of the zenon platform standard deployment. Based on this vulnerability additional ...FAQ: Are products in the zenon product family affected by the vulnerability, labelled BlastRADIUS?
The vulnerability labelled BlastRADIUS is a vulnerability in the RADIUS protocol, also known under the reference CVE-2024-3596. The zenon IIoT Services Identity Service supports an Identity Provider for authentication against RADIUS server, that can ...FAQ: Are products in the zenon product familiy affected by MongoBleed (CVE-2025-14847)
Quick Information: End of December 2025 a vulnerability in MongoDB was detected, named MongoBleed. This vulnerability resides in MongoDB’s handling of zlib-compressed messages and allows unauthenticated clients to leak uninitialized heap memory from ...CD_SVA_2023_3: Wibu Systems - CodeMeter Runtime - security vulnerability addressed
A report has been received for the following security vulnerability in the zenon software platform: CVE-2023-3935 Further details regarding the vulnerability, mitigation options and product fixes that may be available, can be found in the document ...FAQ: Are products in the zenon product family affected by the Log4j security vulnerability registered with CVE-2021-44228?
No, core products in the zenon product family are not based on Java and do not make use of the Log4j library. Additional information can be found in the information report.