CVE-2026-31431 — copy fail

On the 30th of April, 2026, CVE-2026-31431 was announced, also known as "copy fail".

This is a Linux kernel vulnerability in the crypto: algif_aead module where the module was incorrectly performing in-place cryptographic operations despite the source and destination coming from different memory mappings (CWE-669). It has been assigned a CVSS score of 7.8 (HIGH).

Impact to LiquidFiles

Does this impact LiquidFiles — No.

CVE-2026-31431 requires local shell access to the system to exploit (CVSS vector: AV:L/AC:L/PR:L/UI:N). An attacker would need an OS-level account with shell access on the server itself.

LiquidFiles application users do not have shell access to the underlying operating system — they interact exclusively through the web interface. Shell access is restricted to system administrators only, who are already fully trusted. There is no path from the LiquidFiles application layer to the kernel's AEAD cryptographic interface.

When will this be fixed

While LiquidFiles itself is not exposed to this vulnerability, we always recommend keeping the underlying system up to date. If you have Automatic Updates enabled as recommended, your system will be updated automatically once Canonical releases a patched kernel for Ubuntu 22.04 LTS.

You can check the current patch status on the Ubuntu security tracker.