# Copy Fail: Why Every Laravel Server Needs a Kernel Update Right Now (CVE-2026-31431)

> A local privilege escalation vulnerability in the Linux kernel affects every server running a kernel from 2017 onward. Laravel Forge has issued a specific advisory. The exploit is 732 bytes, works reliably, and is active in the wild. Here is what Laravel teams need to do.

**Author:** Matt King | **Published:** May 26, 2026 | **Category:** Security

---

If you run your Laravel application on Laravel Forge, or on any Ubuntu or Debian VPS provisioned after 2017, you need to read this. A kernel-level privilege escalation vulnerability was disclosed on April 30, 2026 that affects virtually every Linux server in production today. It carries a CVSS score of 7.8, there is a working exploit in the wild, and the Laravel Forge team has already published a specific security advisory because all Forge-provisioned servers are affected.

---

## What Is Copy Fail?

CVE-2026-31431, nicknamed "Copy Fail", is a local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem. It affects all Linux kernels released since 2017, which means nine years of production servers are in scope.

The exploit chains three kernel subsystems together in a sequence that was never intended:

1. **authencesn** is the kernel's authenticated encryption subsystem. It has a flaw in the way it reports errors when an operation fails mid-stream.
2. **AF_ALG sockets** are the kernel's interface for exposing cryptographic operations to userspace programs.
3. **`splice()`** is a Linux system call for moving data between file descriptors without copying it through userspace.

When an attacker sends a crafted cryptographic request through an AF_ALG socket and uses `splice()` to move the data, authencesn hits its error path incorrectly. The kernel ends up in a state where memory it has freed is still accessible and writable. From there, an attacker can overwrite kernel data structures to escalate their privileges to root.

The exploit that achieves this reliably is 732 bytes of code. It is not theoretical. It has been demonstrated in the wild.

---

## Why Laravel Developers Should Care

You might be thinking: "This is a local privilege escalation. An attacker needs to already be on my server to exploit it."

That is true. But that is exactly the problem.

The realistic attack chain for a Laravel application looks like this: a vulnerability in your application, whether it is a dependency with a known RCE, an exposed debug endpoint, a file upload flaw, or a deserialization issue, gives an attacker a foothold as the `www-data` user. Copy Fail turns that local access into root. From root, the attacker can read every secret on the server, install persistent backdoors, pivot to your database, and exfiltrate everything.

The Laravel Forge team recognised this immediately. Their security advisory specifically calls out that all Forge-provisioned servers run Ubuntu, and all Ubuntu versions shipping kernels from 5.4 onward are affected.

---

## Which Servers Are Affected

- **Laravel Forge servers**: All Forge-provisioned servers running Ubuntu 20.04, 22.04, or 24.04.
- **Laravel Vapor**: Any EC2 instances you use for queues, scheduled tasks, or RDS jump hosts.
- **Custom VPS**: Any DigitalOcean, Linode, Vultr, Hetzner, or bare-metal server running a Linux kernel from 2017 onward.
- **CI runners**: Self-hosted GitHub Actions runners, GitLab CI runners, or Jenkins agents on Linux.
- **Docker hosts**: The exploit targets the host kernel, which all containers share.

---

## How to Check and Patch

**Step 1: Check your kernel version**

```bash
uname -r
```

For Ubuntu, patched versions are:
- Ubuntu 24.04 (Noble): `6.8.0-60-generic` and later
- Ubuntu 22.04 (Jammy): `5.15.0-130-generic` and later
- Ubuntu 20.04 (Focal): `5.4.0-216-generic` and later

**Step 2: Update immediately**

```bash
sudo apt update && sudo apt upgrade -y
```

Then reboot to load the new kernel:

```bash
sudo reboot
```

Confirm the new kernel after reboot:

```bash
uname -r
```

**Step 3: Update all your servers**

If you manage multiple servers through Forge, do not just patch one. Work through all of them. Pay particular attention to older servers that may not have had routine maintenance recently.

**Step 4: Enable automatic security updates**

```bash
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
```

---

## The Attack Chain: From Web Shell to Root

To make this concrete, here is how an attacker would realistically chain an application vulnerability with Copy Fail.

Suppose your application is running an outdated version of a Livewire package, or has an exposed Telescope endpoint. The attacker gets code execution as `www-data`.

With a basic web shell as `www-data`, they now have:

- Read access to your `.env` file, including your database credentials and API keys
- The ability to run the Copy Fail exploit

```bash
# As www-data after initial foothold
id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Run the Copy Fail exploit (732 bytes of compiled C)
./copyfail

# Exploit completes
id
# uid=0(root) gid=0(root) groups=0(root)
```

From root, the attacker can install a kernel rootkit, add an SSH key to `/root/.ssh/authorized_keys`, or quietly read your entire database without triggering any application-layer logging.

---

## Infrastructure Security Is Application Security

Laravel developers are generally good at application-layer security. The ecosystem has excellent defaults: CSRF protection, parameterised queries, password hashing. But a recurring pattern in serious breaches is that the application layer held, and the attacker found their way in through infrastructure.

An unpatched kernel, a forgotten CI runner, a debug endpoint left on in a staging environment that shares a database with production. The line between "my app is secure" and "my server is secure" does not exist in practice.

---

## Protect Your Laravel Application

Kernel vulnerabilities are patched at the OS level, but the misconfigurations and exposed endpoints that give attackers their initial foothold are in your application layer. Debug mode left on in production, exposed Telescope or Horizon endpoints, missing security headers, `.env` files accessible over HTTP: these are the doors that let attackers in to use exploits like Copy Fail.

[Run a free StackShield scan](/free-scan) on your application and see what your application looks like from the outside.

---

## Frequently Asked Questions

### What is CVE-2026-31431 (Copy Fail)?

Copy Fail is a local privilege escalation vulnerability in the Linux kernel cryptographic subsystem. It chains three kernel subsystems (authencesn, AF_ALG sockets, and splice()) to achieve root access from any local user. It affects all Linux kernels from 2017 onward and has a working exploit in the wild.

### Is my Laravel Forge server affected?

Yes. All Forge-provisioned servers run Ubuntu, and all Ubuntu versions with kernels from 5.4 onward are affected. Laravel Forge has published a specific security advisory. SSH into your server, run "uname -r" to check your kernel version, and apply updates immediately.

### How does this affect Laravel applications specifically?

If an attacker gains any local access to your server (through a web shell, compromised dependency, or application vulnerability), Copy Fail lets them escalate from the www-data user to root. From root, they can read all secrets, install persistent backdoors, and access your database directly.

### How do I patch CVE-2026-31431?

Run "sudo apt update && sudo apt upgrade -y" on Ubuntu/Debian servers, then reboot with "sudo reboot" to load the new kernel. Verify the update with "uname -r" after reboot. Enable unattended-upgrades for automatic security patches going forward.

