Linux Kernel Local Privilege Escalation (LPE)

Summary

CVE-2026-31431, also referred to as “Copy Fail,” is a local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem. This vulnerability is a variant of splice-based page cache corruption (Dirty Pipe family, CVE-2022-0847) and exploits a flaw in how the kernel handles splice() operations targeting AF_ALG (Authenticated Encryption with Associated Data) sockets.

Resolution / Mitigation

The impacted kernel module, algif_aead, is present in Barracuda CloudGen Firewall and SecureEdge, and is not included in any other Barracuda appliances. Barracuda will release updated firmware for CloudGen Firewall and SecureEdge in the coming weeks as part of the next scheduled maintenance release. This update will disable the affected module. Because root access is required for normal operation on these appliances, the existence of a privilege escalation vulnerability does not significantly reduce the security of the appliance. 

Barracuda is actively patching kernels in production for its software-as-a-service offerings. Additionally, as a precautionary measure, a patch is being deployed to prevent the loading of the module on unaffected Barracuda appliances, thereby futureproofing and strengthening them against potential attacks.

Recommended Action

If self-hosting an appliance, apply the available patch/hotfix to ensure algif_aead is blocked from being loaded.

Where to Get the Patch

Patches and hotfixes for this advisory are available through Barracuda support and update channels for your specific appliance or software version.

References

• CVE-2026-31431 (Linux kernel vulnerability identifier)