Copy Fail (CVE-2026-31431): A kernel bug that also affects your Raspberry Pi and Home Assistant

News2026-05-02
Author: Petr Šrámek

In short: Copy Fail (CVE-2026-31431) is a Linux kernel bug that lets anyone with an existing account on the device grab root in under a second. At home it hits Raspberry Pi, Home Assistant OS, Linux-based NAS boxes, and anything else running a modern Linux kernel — it doesn't affect ESP32, ESP8266, RP2040, STM32, or typical routers, cameras, and smart home hubs. Bottom line: update, reboot, and pull off the internet anything that doesn't need to be there.

On Wednesday, April 29, 2026, the security team at Theori disclosed a new Linux kernel bug—they dubbed it Copy Fail (CVE-2026-31431). Most of the chatter focuses on corporate servers and clouds. But that same kernel powers your home setup too—Raspberry Pi running Raspberry Pi OS (formerly Raspbian), Home Assistant Yellow/Green/Blue, HAOS on a NUC, or NAS. And in a homelab, Copy Fail hits where the cloud talk glosses right over it.

Short version: On a vulnerable device, an unprivileged user can snag full root access in seconds with a 732-byte Python script. No dependencies, no fancy exploit chain. The flaw’s been lurking in the kernel since 2017, hitting every modern Linux distro.

Why You Should Care

This bug alone won’t let an attacker break in from the outside—they need an existing account on the device to exploit it. That’s the catch.

If you’ve got anything exposed to the internet on your Raspberry Pi, NAS or Home Assistant—the Home Assistant frontend itself, OctoPrint, Pi-hole admin panel, Nextcloud, Vaultwarden, or some web app you hacked together (or vibecoded with AI)—and that app has a security hole, the attacker gets in via the app’s account. Before, that’d be it. They’d only touch that one service’s data. With Copy Fail, they escalate to root on the whole device in moments.

Root means everything—all your data, keys, passwords, plus a foothold into the rest of your home network where the device’s connected. If Home Assistant itself is the compromised app, the attacker also grabs control over everything HA manages—smart locks, alarms, heating, cameras.

Docker Won’t Save You Either

If you’re counting on Docker containers for isolation from the host, think again. Copy Fail lets an attack escape from the container to the host—they share the same kernel and memory. A proof-of-concept via container popped up on GitHub a day after disclosure. Same deal for Docker on your Pi.

What to Do About It

What isn’t affected: ESP32, ESP8266, RP2040, STM32 (no Linux, no problem), plus cameras, routers, smart home hubs, and similar gear with specialized firmware. That stuff usually runs older kernels or ones without the vulnerable bits—Copy Fail skips them.

For vulnerable devices, three practical steps:

  1. Update now. Run sudo apt update && sudo apt full-upgrade, or use the HAOS update interface, and watch for kernel patches in your distro. They’re rolling out across distributions.
  2. Hide non-public stuff behind a VPN (Tailscale, WireGuard). If you don’t need Pi-hole admin or OctoPrint accessible from anywhere, no reason to expose them. Watch out for cloudflared tunnels too—without Cloudflare Access authentication, you’re just exposing the app differently online, and it won’t shield you from exploits in the app itself.
  3. For your own (vibecoded) apps, ask if they really need a public IP. Security in that kind of code is tricky enough on its own, and Copy Fail turns a minor app flaw into full machine takeover.

Detailed tech steps (like quickly disabling the affected kernel module before an official patch drops, or service hardening tips) are in the links below.

Background pulled together by Czech maker/security researcher Vladimir Smitka (source)

Links: Theori writeup on Xint, CERT-EU advisory, copy.fail, Sysdig analysis.

You are asking

I only have ESP32, ESP8266, Arduino, or other microcontrollers at home — does this affect me?

No. Copy Fail is a Linux kernel bug — microcontrollers don't run Linux, so they don't have the problem either. Same goes for typical routers, IP cameras, and smart home hubs running specialized firmware.

What's specific about Home Assistant?

The HA team isn't planning a hotfix — the patch will land with HAOS 18 in the normal release cycle. Their reasoning: most services on HAOS run as root anyway.
The catch is with add-ons and HACS integrations that run in Docker containers as unprivileged users. For those, Copy Fail does change things — it lets attacker code escape the container straight to the host. Until HAOS 18 ships, don't install add-ons or HACS integrations from untrusted sources; malicious code that would otherwise stay confined inside the container can use this CVE to reach root on the entire HAOS.

I have Pi-hole, OctoPrint, or Vaultwarden exposed to the internet — what now?

Cut public access until you've patched. For unauthenticated cloudflared, kill the tunnel in your Cloudflare Zero Trust dashboard; for port forwarding, close the port on your router. You'll still reach the service from your home network, and you don't really need it accessible from outside in the meantime.

How do I temporarily disable Copy Fail until the patch arrives?

Works on Raspberry Pi OS, Debian, Ubuntu, and most other Linuxes (RHEL/CentOS/Rocky/Alma are trickier):
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo modprobe -r algif_aead
The first command creates /etc/modprobe.d/disable-algif.conf, which blocks the module from loading on next boot (survives reboot). The second kicks it out of the currently running kernel. For typical home use (web, SSH, VPN, encrypted disks, Docker) disabling has no effect. For Docker: mitigation on the host covers all containers too. Once a patched kernel is installed, you can delete disable-algif.conf.
Share the article:
Show your
Maker soul!
Buy a T-Shirt
Coffee for Chiptron
Give a boost to the next article

Related Articles

How to secure linux server

Articles2015-12-05

I would like to tell you that I’m not prefessional in security, but i would like to show you article about basic security of linux server. Sources for this article is my own experinces and literature search. With distribution of…

ESPHome has come out with a major update. One new feature after another and many significant improvements.

News2025-08-24

ESPHome 2025.8.0 brings significant updates in hardware support and major performance improvements along with memory optimizations. Released on August 20, 2025, this update enhances the platform’s capabilities, particularly with support for new devices, ESP-NOW, faster string processing, and reduction of…

Banana Pi M2 Berry: Your cloud service on your server – nextcloud

Articles2017-12-05

Cloud services are very popular and the offer is big. Not all your data you want to save on thirt-party servers. So, then you can use own cloud service on your server. This tutorial will be working on Banana Pi…

Banana Pi M2 Berry: first start, iperf, sysbench and thermal imaging picture

Articles2017-08-18

The single-board computer called Banana Pi M2 Berry is other device by SinoVoip company. The interesting price $34 (with shipping $39.66 in my case) of Banana Pi M2 Berry looks like alternative to Raspberry Pi 3, Orange Pi Prime ?i…

TermDriver 2 from Lab401 – a small but powerful USB-UART/Serial sniffer with the option to expand to I2C and SPI.

TermDriver 2
News2025-12-12

Lab401 introduces its TermDriver 2, a device that simplifies debugging and communication between devices without the need for a connected computer. The built-in LCD display allows you to see real-time communication directly—no external monitor, computer, or software required. Additionally, you…

HackMaster Pi: a pocket tool for testing (not only) IoT security

News2026-03-30

The HackMaster Pi project is a low-cost, open, and modular tool built on Raspberry Pi that allows for simulating and analyzing various attacks. HackMaster Pi is an open-source project primarily designed for education and experimentation in the field of security.

Trends