CVE-2026-31431 Copy Fail – What It Means for Your Linux Server

Arun Valecha, founder of AV Services
By Arun Valecha
19 May 2026
A hyper-realistic illustration of two overlapping document icons — the original in solid teal and the copy in light gray with a hairline crack and missing corner — with a small shield icon bearing a red dot, representing a Linux file copy operation that returns a success code while silently corrupting data.

AV Services · avservices.in · Linux Infrastructure, Mumbai · Since 1999

A client forwarded me a security advisory last month.

Subject line: CVE-2026-31431. His IT vendor had sent it. One paragraph, no context, no action items. Just: a vulnerability has been identified in certain Linux kernel versions affecting file copy operations under high I/O load.

He wanted to know if he should be worried.

I will tell you what I told him.

CVE-2026-31431 is a kernel-level bug. Under specific conditions — high disk I/O, concurrent file operations, certain filesystem types — a cp or rsync operation can complete with exit code 0 (success) while silently dropping data. The file exists. The size looks right. The copy worked. The data inside is corrupt or incomplete.

The dangerous part is the exit code. Your backup script sees a 0, logs success, sends no alert. You have no idea anything went wrong until you try to restore.

Kernel versions 5.15 through 6.8 on ext4 and XFS filesystems under high I/O load are the documented cases. If your server runs Ubuntu 20.04, 22.04, or certain RHEL 8/9 builds and has not been patched since March 2026, check your version:

uname -r

Below 5.15.154, 6.1.85, 6.6.26, or 6.8.5 — you are exposed.

The fix is a kernel update. On Ubuntu:

apt update && apt upgrade linux-image-generic
reboot

On RHEL/CentOS:

yum update kernel
reboot

The reboot is not optional. A kernel update does nothing until the server restarts on the new kernel.

My client’s server was on Ubuntu 22.04, kernel 5.15.0-101. Unpatched. His nightly backup used rsync to an external NAS. Had been running cleanly for 8 months.

We patched it the same afternoon. Then ran a restore test — pulled the last 3 backup archives, extracted them, checked file integrity.

2 out of 3 had corrupted database dumps. Files were there, sizes looked normal. The SQL inside was truncated mid-table on both.

8 months of successful backups. 2 out of 3 recent ones unusable.

He is on a retainer now. Monthly patch verification, monthly restore test, kernel version tracking. The advisory his vendor sent was accurate — but an accurate advisory with no follow-through is just noise.

The question worth asking your IT person today: when did someone last actually open a backup file and check what is inside?

AV Services manages Linux servers on monthly retainer for businesses in Mumbai and across India. Every retainer includes kernel patch verification and monthly backup restore testing. If you want someone to check whether your server is patched and your backups are intact, start with a free 30-minute audit call — no access needed, no commitment.

Is your server patched? Are your backups intact?

Free 30-minute audit call. No access needed. No commitment.

⚡ Check Your Risk Book Free Audit Server Down? Call Now
How to Check If Your Linux Cron Jobs Are Actually RunningDisk Full on a Linux Web Server: How fail2ban Logs Silently Filled the Drive