CISA Adds Actively Exploited 'Copy Fail' Linux Kernel Vulnerability to KEV Catalog
CISA has added a critical Linux kernel privilege escalation vulnerability, known as 'Copy Fail,' to its Known Exploited Vulnerabilities catalog following evidence of active exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical local privilege escalation (LPE) vulnerability in the Linux kernel, tracked as CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild The Hacker News CISA.
Known as "Copy Fail," the vulnerability carries a CVSS score of 7.8 and stems from a logic error within the Linux kernel’s authentication cryptographic template The Hacker News. This flaw allows an unprivileged local user to corrupt the kernel's in-memory page cache for any readable file, including setuid binaries. By modifying the in-memory version of these executables, an attacker can inject malicious code at execution time without ever touching the disk, effectively granting them root-level privileges The Hacker News.
The vulnerability is the result of three separate, individually harmless kernel changes introduced between 2011 and 2017, affecting Linux distributions released since that time The Hacker News. Exploitation is considered trivial, requiring only a 732-byte Python-based script. Because the exploit relies on legitimate system calls, it is difficult for security tools to distinguish the malicious activity from normal application behavior The Hacker News.
The impact of Copy Fail is particularly severe in cloud and containerized environments. According to Kaspersky, platforms like Docker, LXC, and Kubernetes often grant processes inside a container access to the AF_ALG subsystem by default if the algif_aead module is loaded into the host kernel. This configuration can allow an attacker to breach container isolation and gain control over the underlying physical host The Hacker News.
While the vulnerability is not remotely exploitable in isolation, security researchers warn that it becomes a potent tool when chained with other initial access vectors, such as compromised SSH credentials, malicious CI/CD job execution, or existing container footholds The Hacker News. Microsoft’s security team has reported observing preliminary testing activity, suggesting that broader exploitation by threat actors is likely in the near future The Hacker News.
To remediate the flaw, administrators are urged to update their systems to Linux kernel versions 6.18.22, 6.19.12, or 7.0, where fixes have been implemented The Hacker News. While CISA’s mandate for remediation specifically applies to Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 22-01, the agency strongly recommends that all organizations prioritize patching to mitigate the risk of unauthorized root access CISA.
The emergence of Copy Fail highlights the persistent risk posed by legacy logic bugs that remain dormant in core infrastructure for years. With proof-of-concept code already circulating in open-source repositories—including Go and Rust variants of the original Python exploit—the barrier to entry for attackers remains low, making rapid patching essential for maintaining system integrity The Hacker News.