CISA says ‘Copy Fail’ flaw now exploited to root Linux systems
Source: Bleeping Computer
Overview
CISA has warned that threat actors are exploiting the “Copy Fail” Linux security vulnerability in the wild, just one day after Theori researchers disclosed it and released a proof‑of‑concept (PoC) exploit.
Vulnerability Details
- CVE: CVE‑2026‑31431
- Location: Linux kernel’s
algif_aeadcryptographic algorithm interface. - Impact: Allows an unprivileged local user to gain root privileges on unpatched systems by writing four controlled bytes to the page cache of any readable file.
The flaw affects kernels built between 2017 and the release of the patch, covering essentially every mainstream Linux distribution.
Exploit Availability
Theori researchers disclosed the vulnerability on Thursday and shared a “100 % reliable” Python‑based exploit that can root:
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
The same script works unmodified on any Linux distribution shipped since 2017 with a vulnerable kernel version.
“Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution,” – Theori.
Getting root shell on four Linux distros (Theori)
CISA Response
On Friday, CISA added the Copy Fail flaw to its Known Exploited Vulnerabilities (KEV) Catalog:
- Action Required: Federal Civilian Executive Branch (FCEB) agencies must patch Linux endpoints and servers within two weeks (by May 15).
- Authority: Binding Operational Directive (BOD) 22‑01.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
While BOD 22‑01 applies only to U.S. government agencies, CISA urged all security teams to prioritize patches for CVE‑2026‑31431 as soon as possible.
Related Vulnerabilities
Earlier last month, Linux distributions patched another high‑severity root‑privilege escalation vulnerability:
- CVE‑2026‑41651 (Pack2TheRoot) – a decade‑old flaw in the PackageKit daemon.
Details: NVD entry and coverage article on BleepingComputer.