VYPR
kevPublished May 4, 2026· Updated May 17, 2026· 2 sources

CISA Warns of Active Exploitation of 'Copy Fail' Linux Kernel Vulnerability

CISA has added the "Copy Fail" Linux kernel vulnerability to its Known Exploited Vulnerabilities catalog after researchers released a reliable exploit that grants unprivileged users root access across nearly all modern Linux distributions.

The "Copy Fail" vulnerability, tracked as CVE-2026-31431, is a critical security flaw residing in the Linux kernel's algif_aead cryptographic interface. The vulnerability allows an unprivileged local user to gain full root privileges by writing four controlled bytes to the page cache of any readable file. By modifying the cache page of setuid-root binaries, an attacker can effectively escalate their permissions to the highest level of system access BleepingComputer SecurityWeek.

The flaw has a massive reach, impacting virtually all Linux distributions released since 2017. Researchers from Theori, who disclosed the vulnerability, released a "100% reliable" Python-based proof-of-concept (PoC) exploit that functions without modification across diverse environments, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 BleepingComputer. Because the exploit operates via in-memory modification, it is considered particularly stealthy SecurityWeek.

CISA officially added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) Catalog on May 1, 2026, confirming that the flaw is being actively exploited in the wild. Under the mandates of Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply available patches by May 15, 2026 BleepingComputer.

While Microsoft reports that current in-the-wild activity appears limited to PoC testing, the company warns that the vulnerability is exceptionally dangerous for cloud, Kubernetes, and CI/CD environments. In these settings, where untrusted code execution is common, an attacker could chain this flaw with container access or malicious CI jobs to achieve a full container breakout or multi-tenant compromise SecurityWeek.

Security teams are urged to prioritize patching immediately. In environments where patches cannot be applied instantly, organizations should focus on isolating vulnerable systems, implementing strict access controls, and monitoring logs for anomalous behavior. Microsoft specifically advises that defenders review their infrastructure to identify machines running vulnerable kernel versions, as the reliability of the existing exploit code makes it a high-priority target for threat actors SecurityWeek.

The emergence of "Copy Fail" follows a pattern of long-standing vulnerabilities in core Linux components, such as the "Pack2TheRoot" flaw (CVE-2026-41651) discovered in the PackageKit daemon earlier this year. These incidents highlight the persistent risk posed by deep-seated defects in foundational software that remain dormant for years before discovery. As attackers continue to weaponize these high-impact flaws, the speed of vendor patching and organizational response remains the primary defense against widespread exploitation BleepingComputer.

Synthesized by Vypr AI