CISA Adds CVE-2026-31431 Copy Fail Flaw to KEV, Enabling Linux Root Privilege Escalation

A newly disclosed Linux security flaw known as “Copy Fail,” tracked as CVE-2026-31431, is enabling local privilege escalation that can let an unprivileged user obtain root access on affected systems.

Microsoft said it is investigating a “high-severity local privilege escalation vulnerability (CVE-2026-31431)” affecting multiple major Linux distributions including “Red Hat, SUSE, Ubuntu, and AWS Linux,” and it assigned the flaw a CVSS score of 7.8.

01net

Theori and Xint Code described the bug as unusually simple and widely applicable, with Xint Code saying it “is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years.”

The Verge reported that “Nearly every Linux distribution released since 2017 is currently vulnerable,” and it said the exploit is publicly disclosed as CVE-2026-31431 and uses a Python script that requires “no per-distro offsets, no version checks, no recompilation.”

The Hacker News added that CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild, and it described the vulnerability as a “local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.”

In technical terms, Microsoft said the vulnerability is a “logic flaw within the algif_aead module of the AF_ALG (userspace crypto API)” that results in “improper handling of memory during in-place operations,” and it characterized the attack vector as “local (AV:L) and requires low privileges with no user interaction.”

Multiple reports describe Copy Fail as a logic flaw that manipulates the Linux kernel’s in-memory handling of file data rather than changing the file on disk.

Microsoft said exploitation “leads to full root privilege escalation” and could “facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments,” emphasizing that the exploit is “stealth (in-memory-only modification).”

ADSLZone

Ars Technica, as quoted by The Verge, explained why monitoring can miss it: “Page-cache corruption never marks the page dirty. The kernel’s writeback machinery never flushes the modified bytes back to disk.”

The Record from Recorded Future News similarly said the bug works by “quietly tampering with the temporary copy of a file the system holds in memory while it is in use, without ever touching the original file on disk,” and it added that “As standard security tools check files on disk rather than in memory, they see nothing wrong.”

The Hacker News said the flaw allows an attacker to obtain root by “corrupting the kernel's in-memory page cache of any readable file, including setuid binaries,” and it quoted Wiz saying “Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk.”

Microsoft’s technical write-up tied the mechanism to the crypto subsystem, saying the flaw “originates from an in-place optimization introduced in 2017” where “the kernel reuses source memory as the destination during cryptographic operations,” and it described an interaction between “the AF_ALG socket interface and the splice() system call.”

The reporting ties Copy Fail to a disclosure and patch timeline that begins with private reporting to kernel maintainers and ends with public disclosure and distribution updates.

Cointelegraph quoted Theori CEO Brian Pak saying he reported the vulnerability “privately” to the Linux kernel security team on March 23, and Pak said “We worked with them on patches, which landed in mainline on April 1. CVE assigned April 22. We disclosed publicly on April 29 with a full write-up and PoC.”

The Verge said “a patch for Copy Fail was added to the mainline Linux kernel on April 1st,” while The Hacker News said fixes have been made available in Linux kernel versions “6.18.22, 6.19.12, and 7.0.”

BleepingComputer reported that “patches became available within a week” and that the offensive security company developed and tested a “100% reliable” Python-based exploit for four distributions including “Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.”

The Hacker News also stated that “Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026,” and it said that “If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls.”

crypto.news said “CISA added Copy Fail to its exploited bugs list after reports of active Linux abuse,” and it stated that “CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on May 1.”

Several accounts emphasize that Copy Fail was found using AI-assisted scanning and that the resulting exploit is compact and portable.

The Verge said the exploit was identified by Theori’s researchers with assistance from their Xint Code AI tool, and it described the exploit as requiring “no per-distro offsets, no version checks, no recompilation,” citing Theori.

BleepingComputer

It also quoted a prompt attributed to Taeyang Lee, saying: “This is the linux crypto/ subsystem. Please examine all codepaths reachable from userspace syscalls. Note one key observation: splice() can deliver page-cache references of read-only files (including setuid binaries) to crypto TX scatterlists.”

The Record from Recorded Future News said the flaw was publicly disclosed this week by researchers at Theori, which said it found the bug using an AI-powered scanning tool called Xint Code, and it added that “Theori said the flaw resulted from three separate, individually unremarkable changes to the Linux kernel made in 2011, 2015 and 2017.”

GovInfoSecurity quoted Theori researchers describing the flaw and said it was discovered after “about 1 hour of time to scan ‘the Linux crypto/subsystem,’” and it said the finding involved no “harnessing,” meaning no agents or wraparounds.

Cointelegraph and Cryptonews.net both highlighted the exploit’s small size, with Xint Code saying “A small, portable python script gets root on all platforms,” and with Cryptonews.net quoting Duran: “10 lines of Python” may be all it takes.

The Copy Fail disclosure quickly translated into government action and heightened concern for cloud and container environments, with CISA adding the bug to its Known Exploited Vulnerabilities catalog.

The Hacker News said CISA added the flaw “to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild,” and it reported that CISA did not share details about how the vulnerability is being exploited.

Brodersen

Microsoft said the vulnerability’s broad applicability has caused “widespread concern,” and it warned that it is seeing “preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days,” while also noting the addition to CISA’s KEV catalog.

crypto.news similarly said “CISA added Copy Fail to its exploited bugs list after reports of active Linux abuse,” and it described the flaw as local privilege escalation that “does not give remote access by itself,” requiring attackers to have “prior code access.”

Kaspersky, quoted by The Hacker News, warned that containerized environments can be at risk because “Docker, LXC, and Kubernetes ‘grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel’ by default,” and it said Copy Fail “poses a risk of breaching container isolation and gaining control over the physical machine.”

For remediation, The Hacker News said federal agencies were advised to apply fixes by “May 15, 2026,” and it recommended disabling the affected feature, implementing network isolation, and applying access controls if patching is not immediate.