CISA warns Linux Copy Fail flaw is being exploited to gain root access

CISA has added the Linux kernel vulnerability CVE-2026-31431, known as Copy Fail, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation.

The flaw is a high-severity local privilege escalation bug in the Linux kernel’s cryptographic subsystem. An attacker who already has local code execution as an unprivileged user can exploit it to gain root access on vulnerable systems.

The risk is highest for servers, cloud workloads, CI runners, Kubernetes nodes, shared Linux hosts, and container environments where untrusted or semi-trusted code can run on the same kernel.

What CISA added to the KEV catalog

CISA added CVE-2026-31431 to the KEV catalog on May 1, 2026. Federal civilian agencies must apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or stop using affected systems by May 15, 2026.

NVD lists the vulnerability as “Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability” and maps it to CWE-669. The flaw has a CVSS 3.1 score of 7.8, which places it in the high-severity range.

The bug was publicly disclosed on April 29, 2026. Security researchers released a short proof-of-concept exploit, and multiple vendors have since published patches or temporary mitigations.

At a glance

Item	Details
CVE	CVE-2026-31431
Name	Copy Fail
Severity	High, CVSS 7.8
Weakness	CWE-669, Incorrect Resource Transfer Between Spheres
Affected component	Linux kernel algif_aead module in the AF_ALG crypto API
Impact	Local privilege escalation to root
CISA KEV date	May 1, 2026
Federal remediation deadline	May 15, 2026

How Copy Fail works

Copy Fail sits in the Linux kernel’s algif_aead interface, which exposes authenticated encryption functions to user space through AF_ALG sockets.

The bug comes from an in-place optimization added to the kernel in 2017. That change allowed page-cache-backed data to end up in a writable destination path during some crypto operations.

By combining AF_ALG behavior with the splice() system call, an unprivileged user can trigger a controlled 4-byte write into the page cache of a readable file.

Why a 4-byte write can become root access

A 4-byte overwrite may sound small, but it can become powerful when the target is a privileged binary. Researchers demonstrated that the primitive can corrupt the cached version of a setuid binary such as /usr/bin/su.

The file on disk does not change. Instead, the modified version exists in the kernel page cache, which means ordinary file integrity checks may miss the tampering.

When the system later executes the cached binary, the attacker-controlled change can lead to root-level code execution. That makes Copy Fail especially dangerous on shared systems.

Why containers and CI systems face extra risk

Copy Fail is not a remote code execution bug by itself. An attacker needs a local foothold first, such as shell access, a compromised account, a malicious CI job, or code execution inside a container.

The concern is that containers share the host kernel. If a vulnerable kernel exposes the affected path, a containerized workload may be able to attack kernel-managed shared state.

This is why Kubernetes nodes, Docker hosts, build runners, and multi-tenant Linux environments should receive priority during patching and mitigation.

Affected systems

Area	Risk
Ubuntu releases before 26.04	Ubuntu said affected releases need mitigation or kernel fixes
Amazon Linux 2023	Verified vulnerable in researcher testing
Red Hat Enterprise Linux 8, 9, 10, and 10.1	NVD lists affected Red Hat Enterprise Linux configurations
SUSE 16	Verified vulnerable in researcher testing
Debian, Fedora, Arch, AlmaLinux, Rocky Linux, and other distributions	Risk depends on kernel version and vendor patch status
Kubernetes and CI/CD runners	High priority because they may run untrusted workloads

Patch status and mitigations

The upstream Linux fix removes the risky optimization and restores safer separation between source and destination buffers in the affected crypto path.

Fixed kernel versions are available for several maintained stable branches, including 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12, and 7.0.

Some vendors also provide temporary mitigations that disable the affected algif_aead module. Ubuntu, for example, published a mitigation through the kmod package while kernel updates roll out.

What administrators should do now

• Inventory Linux hosts, cloud instances, Kubernetes nodes, CI runners, and container hosts.
• Check whether each system runs a vulnerable kernel branch.
• Apply vendor kernel updates as soon as they are available.
• Use vendor-supported mitigations when immediate patching is not possible.
• Prioritize systems that run untrusted code, customer workloads, or shared containers.
• Reboot patched systems if required so the fixed kernel actually loads.
• Review local user access, SSH access, CI permissions, and container execution policies.
• Watch for unusual setuid binary execution, privilege escalation attempts, and suspicious root shell activity.

What to check in container environments

Container teams should start with the host kernel, not the container image. Updating packages inside a container will not fix a vulnerable kernel on the node.

Administrators should patch Kubernetes worker nodes, managed node pools, self-hosted runners, and any Linux host that runs containers. Nodes that process untrusted builds or third-party workloads need urgent attention.

Where patching needs staged rollout, teams should restrict untrusted jobs, reduce shared-host exposure, and apply vendor-approved mitigations before returning those nodes to normal service.

Why this flaw drew so much attention

Copy Fail is drawing comparisons to older Linux privilege escalation bugs because it affects a deep kernel path and can work reliably across many distributions.

The public proof-of-concept is short, and researchers reported that it does not rely on a race condition. That makes exploitation easier than many older kernel privilege escalation techniques.

The flaw also shows how a small logic error can create a large security impact years later. The vulnerable behavior traces back to a 2017 optimization, but the consequences became clear only after researchers examined how AF_ALG, splice(), and page-cache memory interact.

Recommended response checklist

• Patch all externally managed and internally managed Linux systems.
• Confirm the running kernel version after reboot with uname -r.
• Disable algif_aead only through vendor-supported guidance if patching must wait.
• Review CI jobs that ran untrusted pull requests or third-party code.
• Check Kubernetes nodes for unexpected privileged activity.
• Rotate credentials if suspicious local privilege escalation activity appears.
• Document systems that cannot be patched and remove them from exposed workloads.

What this means for Linux security

Copy Fail does not let a remote attacker break into a Linux server by itself. The attacker first needs a way to run code locally.

Once that foothold exists, the flaw can turn a low-privilege account into root access. That makes it valuable for attackers who already breached a web app, stole SSH credentials, compromised a container, or landed code inside a build pipeline.

For defenders, the priority is clear: patch kernels, protect shared workloads, reduce local execution paths, and treat container hosts and CI runners as high-risk assets until updates are complete.

FAQ