How to Detect Copy Fail Vulnerability (CVE-2026-31431)
This guide explains how to use the Txlog Agent to diagnose if your server is affected by the CVE-2026-31431 vulnerability, also known as "Copy Fail".
Run the Diagnostic Tool
To perform a safe, non-destructive check on your local system, run the following command:
txlog copyfailUnderstand the Diagnostic Phases
The diagnostic tool performs two distinct tests to determine the risk level of your server.
Phase 1: Proof of Bug
The agent attempts to trigger the page cache write bug using a temporary file in /tmp.
- Success: If the file content remains unchanged, your kernel is patched and safe.
- Failure: If the agent detects that it successfully wrote to the page cache through the
AF_ALGinterface, your kernel is vulnerable.
Phase 2: Escalation Potential
If Phase 1 confirms the bug, the agent then checks if the vulnerability can be used to gain root privileges.
- It identifies accessible
setuid-rootbinaries (like/usr/bin/sudoor/usr/bin/passwd). - It verifies if the
splicepipeline can be established with these binaries. - Important: This phase is read-only. It never writes to system files or actually attempts to escalate privileges.
Automatic Reporting
When you run txlog build, the agent automatically performs this check in the background and sends the results to the Txlog Server.
View Status on Server
You can find the vulnerability status of your entire fleet on the Txlog Server dashboard. Assets that are vulnerable will be marked with a 🚨 Critical Vulnerability badge.
Mitigation Steps
If your system is reported as vulnerable:
- Update your kernel: Install the latest security patches provided by your OS vendor.
- Reboot: A system restart is required to apply the new kernel.
- Verify: Run
txlog copyfailagain after the reboot to confirm the fix.