CISA Says ‘Copy Fail’ Flaw Now Exploited to Root Linux Systems

What happened

CISA added CVE-2026-31431, a Linux kernel privilege escalation vulnerability dubbed Copy Fail, to its Known Exploited Vulnerabilities catalog on Friday, one day after Theori researchers publicly disclosed the flaw and published a proof-of-concept exploit. FCEB agencies have been ordered to patch by May 15 under Binding Operational Directive 22-01.

The vulnerability exists in the Linux kernel’s algif_aead cryptographic algorithm interface and allows unprivileged local users to gain root privileges by writing four controlled bytes to the page cache of any readable file. Theori described its Python-based exploit as 100% reliable, confirming it achieves root shells on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 without modification. The researchers stated the same exploit binary works unmodified on any Linux distribution shipped since 2017 with a vulnerable kernel version, covering essentially every mainstream Linux distribution built between 2017 and the patch.

Major Linux distributions began pushing fixes via kernel updates following the disclosure, though no official updates were available when Theori published its advisory on Thursday. Active exploitation was confirmed within 24 hours of the PoC’s release. CISA urged all security teams, not just federal agencies, to prioritize patching CVE-2026-31431 as soon as possible.

The Copy Fail disclosure follows another high-severity Linux privilege escalation vulnerability, CVE-2026-41651, dubbed Pack2TheRoot, which was patched last month after persisting for more than a decade in the PackageKit daemon.

Who is affected

Any organization running Linux endpoints or servers on kernel versions built between 2017 and the patch release is within scope. The exploit’s cross-distribution reliability means the exposure is not limited to specific vendors or configurations. Cloud environments, enterprise servers, and developer workstations running mainstream Linux distributions are all affected.

Why CISOs should care

A 100% reliable, publicly available exploit that achieves local privilege escalation to root across essentially every major Linux distribution built in the past eight years is about as high-urgency as vulnerability response gets. The 24-hour window between PoC release and confirmed active exploitation means organizations that did not patch immediately are already in a reactive posture. For environments where Linux servers handle sensitive data, run containerized workloads, or sit within cloud infrastructure, a local privilege escalation to root can be the final step in a broader attack chain that began with any form of limited initial access.

3 practical actions

1. Apply Linux kernel updates immediately across all affected distributions: Check for available kernel patches from your distribution vendor and deploy them without waiting for a scheduled maintenance window. Ubuntu, Amazon Linux, RHEL, and SUSE have all begun pushing fixes. Prioritize internet-facing servers, cloud instances, and systems handling sensitive data.
2. Audit local access controls on Linux systems as an interim risk reduction measure: Copy Fail requires unprivileged local access to exploit. Review which accounts have local or SSH access to Linux systems in your environment and revoke any unnecessary access to reduce the population of potential attackers who could reach the vulnerable interface before patching is complete.
3. Verify patch status across cloud and containerized Linux environments: Cloud instances and container hosts running Linux kernels in the vulnerable range are in scope regardless of whether the underlying infrastructure is managed by a cloud provider. Confirm with your cloud provider whether managed kernel updates have been applied and validate patch status on any self-managed Linux instances running in cloud or hybrid environments.