CVE-2026-31431 FortiOS Impact: CopyFail Patch and Detection Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2026-31431, nicknamed CopyFail, is a Linux kernel local privilege escalation vulnerability that affects FortiOS-based FortiGate appliances because FortiOS runs on a Linux kernel that includes the vulnerable algif_aead cryptographic module.
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1, 2026, with a mandatory federal remediation deadline of May 15. A 732-byte Python proof-of-concept that reliably achieves root with no race conditions has been public since before the CISA addition. Go and Rust variants are also available in public repositories. Fortinet issued PSIRT advisory FG-IR-26-CVE-2026-31431 confirming FortiOS exposure and specifying patched release versions.
The practical risk for organizations running FortiGate is twofold. First, any threat actor who achieves local execution on a FortiGate appliance through any means — a management interface exploit, an SSH credential theft, or a chained vulnerability — can immediately escalate to root using CopyFail. Second, FortiGate appliances sit on the network perimeter and often have broader kernel access than hardened server environments, making post-exploitation lateral movement particularly consequential.
This analysis covers which FortiOS versions are affected, CLI commands to verify patch status, the workaround procedure, and detection indicators for active exploitation.
Why CVE-2026-31431 Affects FortiOS
FortiOS is Fortinet's proprietary network operating system, but its kernel layer is a customized Linux build. All FortiGate hardware appliances and FortiOS VMs run this Linux foundation, which includes the AF_ALG socket interface and its algif_aead module — the exact kernel component CVE-2026-31431 exploits.
The vulnerability exists in how algif_aead handles in-place authenticated encryption operations, where input and output buffers share the same kernel page cache pages. Three accumulated kernel changes from 2011, 2015, and 2017 create a logic error: an unprivileged local process can trigger a write to the kernel's cached copy of any readable file, including setuid binaries, without the modification appearing on disk.
Fortinet's exposure differs from standard Linux servers in one important way: FortiGate appliances are network perimeter devices. Exploiting CVE-2026-31431 on a FortiGate means gaining root on the device that controls firewall policy, VPN tunnels, and network segmentation for the entire organization. Root on a FortiGate is not equivalent to root on a workstation.
The CVSS 7.8 score reflects the local access requirement. But on FortiGate, that access requirement is met whenever any of the following conditions exist: management interface credentials are compromised, a FortiOS vulnerability allows initial shell access (such as CVE-2026-35616 in FortiClient EMS affecting related Fortinet infrastructure), or a threat actor has obtained SSH access through credential theft. The FortiBleed credential leak that exposed 73,932 FortiGate admin passwords in 2026 is precisely the kind of event that converts CVE-2026-31431 from a local-only privilege escalation into a realistic remote root scenario when paired with any one of those stolen credentials. See the FortiBleed IOC dataset and detection guide for credential validation steps.
Affected FortiOS Versions and Patch Verification
Fortinet's PSIRT advisory FG-IR-26-CVE-2026-31431 covers all FortiOS release trains built on unpatched Linux kernels. The underlying fix requires kernel versions 6.18.22, 6.19.12, or 7.0 or later. Fortinet backported these kernel changes into the following FortiOS patch releases:
FortiOS 7.6.x: Patched in 7.6.2 and later. FortiOS 7.6.0 and 7.6.1 are vulnerable.
FortiOS 7.4.x: Patched in 7.4.5 and later. FortiOS 7.4.0 through 7.4.4 are vulnerable.
FortiOS 7.2.x: Patched in 7.2.11 and later. FortiOS 7.2.0 through 7.2.10 are vulnerable.
FortiOS 7.0.x: Patched in 7.0.17 and later. FortiOS 7.0.0 through 7.0.16 are vulnerable.
FortiOS 6.4.x: End-of-support branch. Fortinet released an emergency patch (6.4.16P1) for customers unable to upgrade. FortiOS 6.4.15 and earlier are vulnerable. Migration to a supported release train is strongly recommended.
To verify patch status from the FortiOS CLI:
get system status
The output shows the running FortiOS version. Compare against the patched version list above. For FortiManager-managed deployments, run the following from the FortiManager CLI to check all registered devices:
execute fmprofile list
diagnose dvm device list | grep "ver"
For organizations using Tenable, the plugin for CVE-2026-31431 can scan FortiOS versions with authenticated credentials configured. Qualys QID coverage was added in the May 2026 VULNDB release.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Workaround: Disabling algif_aead Without Patching
If an immediate FortiOS upgrade is not operationally feasible, Fortinet's advisory includes a workaround that removes the vulnerable kernel module from memory. This prevents exploitation of CVE-2026-31431 while preserving all core FortiOS functionality, because standard firewall, VPN, and routing operations do not use the algif_aead code path.
The workaround is a configuration change that prevents algif_aead from loading at boot. Apply it through the FortiOS CLI:
config system global
set kernel-module-blacklist algif_aead
end
After applying, reboot the appliance to ensure the module is unloaded from the running kernel. Verify the module is absent:
diagnose sys module list | grep algif_aead
An empty result confirms the module is not loaded. If any FortiOS feature explicitly depends on AF_ALG socket AEAD acceleration — an unusual configuration — that feature will fail after this change. Most enterprise FortiGate deployments will see no impact on firewall, IPS, VPN, or SSL inspection operations.
This workaround is a temporary measure only. Schedule the FortiOS upgrade within 24 hours of applying the blacklist and reverse the configuration change after patching. Leaving the algif_aead module permanently disabled means missing future security fixes to that module if Fortinet delivers them in standard releases.
Detecting CVE-2026-31431 Exploitation on FortiGate
Active exploitation of CVE-2026-31431 on a FortiGate leaves several detectable traces. The exploit manipulates in-memory copies of kernel-cached files without modifying files on disk, so file integrity monitoring on the FortiGate filesystem itself will not catch the attack. Detection must focus on behavioral indicators and kernel-level events.
FortiOS system log analysis: Exploitation requires local execution. Examine authentication logs for management interface access preceding any unusual system behavior. In FortiOS, check:
execute log filter category 1
execute log display
Look for authentication events from unexpected source IPs or at unusual times followed by CLI or SSH session initiation.
Kernel crash indicators: A failed exploitation attempt can trigger a kernel oops or BUG condition in the algif_aead module. Check for kernel crash logs:
diagnose debug crashlog read
Any crash referencing algif_aead, AF_ALG, or page cache corruption events should be treated as a potential exploitation attempt.
Unusual process activity: Post-exploitation root access on FortiGate may manifest as unexpected processes, modified configuration state not matching the management baseline, or unauthorized VPN user creation. Compare running configuration against the last known-good backup:
show full-configuration | diff -
FortiGuard Labs has published SIEM detection content for CVE-2026-31431 exploitation patterns. Organizations using FortiSIEM or FortiAnalyzer should apply the current content pack update to enable automated alerting.
For Suricata-based detection of FortiBleed credential abuse that could precede a CVE-2026-31431 escalation chain, see the FortiBleed IOC dataset and detection guide.
Exploitation Chain: FortiBleed Plus CopyFail
The realistic threat scenario for CVE-2026-31431 on FortiGate is not standalone exploitation but a two-step chain: credential compromise followed by privilege escalation.
The FortiBleed incident exposed 73,932 FortiGate admin credentials. Any organization that appears in that dataset and has not rotated credentials and enforced MFA is running FortiGate appliances where an attacker already has authentication material. That authentication material provides the local access CVE-2026-31431 requires.
The chain works as follows: The attacker authenticates to the FortiOS management interface or SSH using a stolen credential from the FortiBleed dataset. Initial access provides a restricted management shell. From that shell, the attacker deploys the 732-byte CopyFail exploit, which overwrites an in-memory copy of a setuid binary with attacker-controlled code. The next execution of that binary runs as root. The attacker now has full kernel access to the FortiGate appliance.
With root on a FortiGate, the attacker can modify firewall policy to permit traffic that would otherwise be blocked, extract private keys for VPN tunnels and decryption certificates, create backdoor administrator accounts, disable logging and IPS inspection, and redirect DNS or NTP to attacker-controlled infrastructure.
This is not a theoretical chain. The FortiBleed dataset exists, CVE-2026-31431 exploit code is public, and threat actors actively target perimeter appliances for persistent access. The two patches required to close this chain are FortiOS upgrade for CVE-2026-31431 and immediate credential rotation with MFA enforcement for all FortiGate management accounts.
For context on the broader FortiGate threat landscape and additional Fortinet vulnerabilities, see the full FortiBleed credential leak analysis.
The bottom line
CVE-2026-31431 CopyFail is not a theoretical risk for Fortinet environments: FortiOS runs on Linux, public exploit code has been available since before the CISA KEV addition, and the FortiBleed credential dataset provides the local access this vulnerability requires to become a remote root escalation chain. The remediation is straightforward: upgrade FortiOS to the patched version for your release train, rotate all FortiGate management credentials, and enforce MFA on every management interface. If an immediate upgrade is not possible, apply the algif_aead blacklist workaround and schedule the upgrade within 24 hours. Verify patch status with 'get system status' in the CLI and compare against the patched version list in Fortinet PSIRT advisory FG-IR-26-CVE-2026-31431. For the weekly brief context covering all five active threats from the same CISA KEV batch, see the CVE-2026-31431 CopyFail weekly threat brief.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Does CVE-2026-31431 affect FortiGate firewalls?
Yes. FortiOS, the operating system running on FortiGate appliances, is built on a Linux kernel. CVE-2026-31431 affects any Linux kernel compiled since 2017 that includes the algif_aead module. Fortinet issued PSIRT advisory FG-IR-26-CVE-2026-31431 confirming FortiOS exposure and providing patched version numbers. Organizations should upgrade to the patched FortiOS release or apply the Fortinet-issued kernel workaround.
Which FortiOS versions are affected by CVE-2026-31431?
FortiOS versions built on unpatched Linux kernels prior to 6.18.22, 6.19.12, or 7.0 are affected. Fortinet's advisory FG-IR-26-CVE-2026-31431 specifies the exact patched FortiOS release train versions. Check the Fortinet FortiGuard PSIRT portal for the current list, as additional minor releases received patches after the initial disclosure.
Can CVE-2026-31431 be exploited remotely on FortiGate?
CVE-2026-31431 requires local code execution as an unprivileged user on the host kernel. On a properly configured FortiGate appliance with no local shell access for untrusted users, remote exploitation is not directly possible. However, any vulnerability that provides initial shell access to a FortiGate device converts CVE-2026-31431 into a root escalation. This is the chaining threat: pair it with an authentication bypass or command injection in FortiOS and the attacker immediately reaches root.
What is the CopyFail exploit mechanism on FortiOS?
The exploit opens an AF_ALG socket and configures it for AEAD in-place mode. By crafting specific message parameters, the attacker overwrites the kernel's in-memory page cache copy of a setuid binary without modifying the file on disk. On the next execution of that binary, the kernel runs the attacker's in-memory version with root privileges. The 732-byte Python implementation requires no race conditions and works reliably.
How do I check if my FortiGate has been patched for CVE-2026-31431?
Run 'get system status' in the FortiOS CLI and compare the running FortiOS version against Fortinet's advisory FG-IR-26-CVE-2026-31431 patched version list. For central management, use FortiManager's device inventory to run a version audit across all managed appliances. The Tenable plugin for CVE-2026-31431 can also scan FortiOS versions remotely if you have authenticated credentials configured in your scanner.
Is there a workaround for CVE-2026-31431 on FortiOS if patching is not immediately possible?
Fortinet's advisory includes a kernel module disablement workaround that unloads the algif_aead module. This breaks cryptographic workloads that rely on AF_ALG socket acceleration, but most FortiOS features do not use this code path. Disable the module as a temporary measure, schedule the FortiOS upgrade within 24 hours, and re-enable after patching. Do not treat the workaround as a permanent substitute for the patch.
Sources & references
- Fortinet PSIRT, FortiOS Advisory for CVE-2026-31431
- Wiz Blog, CopyFail: Universal Linux Local Privilege Escalation
- Tenable, CVE-2026-31431 Frequently Asked Questions
- CISA, Known Exploited Vulnerabilities Catalog
- Red Hat, RHSB-2026-02 Linux Kernel Cryptographic Subsystem Privilege Escalation
- The Hacker News, CISA Adds Linux Root Access Bug CVE-2026-31431 to KEV
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
