Key Takeaways
- CISA added CVE‑2026-31431 (CVSS 7.8) – dubbed Copy Fail – to its Known Exploited Vulnerabilities catalog after confirming active exploitation.
- The flaw is a local privilege‑escalation bug in the Linux kernel’s authentication cryptographic template that lets an unprivileged user obtain root by corrupting the in‑memory page cache.
- Introduced by three seemingly harmless kernel changes made in 2011, 2015, and 2017, the vulnerability affects all Linux distributions released since 2017.
- Exploitation requires only low‑privilege local access and no user interaction; it becomes especially dangerous when combined with an initial‑access vector such as SSH, malicious CI jobs, or a container foothold.
- Container runtimes (Docker, LXC, Kubernetes) that load the algif_aead module expose the AF_ALG subsystem, allowing attackers to break container isolation and compromise the host.
- A fully functional proof‑of‑concept exploit exists in Python, with Go and Rust ports already appearing in public repositories, lowering the barrier for attackers.
- Federal Civilian Executive Branch (FCEB) agencies must apply the patches by May 15 2026; if immediate patching is impossible, they should disable the affected feature, enforce network isolation, and tighten access controls.
Overview of the Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed CVE‑2026-31431 on its Known Exploited Vulnerabilities (KEV) catalog on May 3, 2026, citing confirmed active exploitation in the wild. Tracked as Copy Fail by Theori and Xint, the vulnerability carries a CVSS score of 7.8 and represents a local privilege‑escalation (LPE) weakness in the Linux kernel. Successful exploitation enables an unprivileged local user to elevate to UID 0, granting full root control over the affected system.
Technical Details of Copy Fail
Copy Fail stems from a logic bug in the kernel’s authentication cryptographic template (the AF_ALG subsystem). The bug allows a controlled 4‑byte overwrite in the kernel’s in‑memory page cache, which holds the cached contents of files, including setuid binaries. By corrupting this cache, an attacker can alter the executable code that runs when a privileged binary is invoked, effectively injecting malicious code without touching the filesystem. The exploit requires only a modest 732‑byte Python script to trigger the condition reliably.
Historical Introduction of the Flaw
Researchers traced the origin of Copy Fail to three separate, individually innocuous changes made to the Linux kernel in 2011, 2015, and 2017. Each change introduced a subtle interaction between the cryptographic API and the page‑cache handling code. When combined, these modifications created the precise condition that enables the cache‑corruption primitive. Because the changes were deemed harmless at the time, the flaw remained latent for nearly a decade before being discovered.
Impact on Linux Distributions
All Linux distributions released after 2017 inherit the vulnerable kernel code, making the flaw pervasive across enterprise servers, cloud instances, and embedded devices. The vulnerability’s CVSS rating reflects its high severity: while it cannot be exploited remotely on its own, any local user with low privileges can leverage it to gain root, posing a substantial risk to multi‑tenant environments where untrusted users may have shell access.
Mechanism of Privilege Escalation via Page Cache Corruption
The exploit works by overwriting a small region of the page cache that corresponds to a readable file—often a setuid binary such as /usr/bin/su. When the kernel later reads the cached version to execute the binary, the altered instructions run with the binary’s elevated privileges. Because the page cache mirrors the in‑memory view of files, the modification leaves no trace on disk, making forensic detection particularly challenging. Google‑owned Wiz emphasized that this technique lets attackers “inject code into privileged binaries and thereby gain root privileges.”
Relevance to Cloud and Container Environments
The prevalence of Linux in cloud infrastructure amplifies the danger of Copy Fail. Container runtimes such as Docker, LXC, and Kubernetes, by default, load the algif_aead module into the host kernel, exposing the AF_ALG subsystem to processes inside containers. Consequently, a compromised container process can exploit the kernel bug to break out of its isolation envelope and obtain control over the underlying host. Kaspersky warned that this creates a realistic path from a container foothold to full host compromise, especially since exploitation does not require complex race conditions or address guessing.
Exploit Availability and Proof‑of‑Concept Variants
A fully functional proof‑of‑concept (PoC) exploit was released shortly after the vulnerability’s public disclosure. The original PoC is a compact Python script, but security researchers have already observed Go and Rust implementations circulating in open‑source repositories. The availability of multiple language versions lowers the technical barrier for attackers, enabling rapid integration into exploit frameworks and malware toolkits.
Threat Intelligence and Observed Activity
Although CISA did not disclose specific exploitation details, the Microsoft Defender Security Research Team reported “preliminary testing activity” that suggests threat actors are beginning to experiment with Copy Fail. The team anticipates increased exploitation attempts over the coming days, particularly as attackers chain the LPE with initial‑access vectors. Because the attack uses only legitimate system calls, distinguishing malicious activity from normal behavior is difficult for conventional detection tools.
Attack Chain and Required Conditions
A typical attack flow proceeds as follows:
- Reconnaissance – Identify a Linux host or container running a vulnerable kernel version.
- Preparation – Craft or download the small Python trigger (or its Go/Rust equivalent).
- Execution – Run the exploit from a low‑privilege context, either as a regular user on the host or from a compromised container process lacking special capabilities.
- Exploit Execution – Perform a controlled 4‑byte overwrite in the kernel page cache, corrupting sensitive kernel‑managed data.
- Privilege Escalation – The altered cache causes a setuid binary to execute attacker‑supplied code, granting UID 0 and full root access.
The vector is local (AV:L), requires low privileges, and needs no user interaction, but its impact magnifies when paired with an initial‑access method such as SSH, a malicious CI job, or a container breach.
Mitigation and Patching Guidance
Vendors have issued patches in Linux kernel versions 6.18.22, 6.19.12, and 7.0. Organizations should prioritize upgrading to these releases. Where immediate patching is infeasible, CISA recommends disabling the AF_ALG subsystem (i.e., preventing the algif_aead module from loading), enforcing strict network segmentation to limit lateral movement, and applying the principle of least privilege to reduce the number of users who can execute arbitrary code locally.
Recommendations for Federal Agencies
Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the kernel updates by May 15, 2026. If patching cannot be met by that deadline, agencies must implement compensatory controls: disable the vulnerable cryptographic module, isolate affected systems from untrusted networks, and monitor for anomalous use of legitimate system calls that could indicate exploit attempts. Continuous vulnerability scanning and threat‑intelligence feeds are also advised to detect any emerging exploitation patterns.
Conclusion and Ongoing Vigilance
Copy Fail exemplifies how seemingly minor, long‑standing code changes can combine to produce a severe local privilege‑escalation risk, particularly in today’s container‑centric cloud landscapes. The presence of a ready‑to‑use exploit, coupled with the difficulty of detecting legitimate‑system‑call abuse, underscores the need for prompt patching, hardened container configurations, and vigilant monitoring. Organizations that act swiftly to update their kernels and enforce strict access controls will significantly reduce the likelihood of a successful Copy Fail attack, while those that delay remain exposed to a potent threat capable of turning low‑privilege access into full system compromise.