CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros — unpatched systems may remain vulnerable to attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed Linux vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities catalog on May 1st, warning that the flaw, tracked as CVE-2026-31431, is already being used in active attacks and urging rapid patching across affected systems.

The vulnerability resides in the Linux kernel‘s “algif_aead” cryptographic interface and allows unprivileged local users to escalate privileges to root. In practice, this means an attacker with limited access to a system can gain full administrative control.

Security researchers at Theori disclosed the flaw publicly last week, releasing a working proof-of-concept exploit alongside their findings. According to the team, the exploit is “100% reliable” and functions without modification across multiple major Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. That level of portability is unusual and lowers the barrier for attackers seeking to weaponize the bug.

Article continues below

At a technical level, the bug enables attackers to write controlled data into the kernel‘s page cache, a low-level memory structure, ultimately allowing privilege escalation. While the exploit requires local access, it still allows attackers to break out of standard user restrictions and gain full control of the system.

Compounding the risk, a discussion on the Openwall oss-security mailing list suggests that the vulnerability and the working exploit were publicly disclosed without prior coordination with Linux distribution maintainers. In typical responsible disclosure processes, vendors are given advance notice to prepare and distribute patches before technical details are made public.

In this case, however, maintainers indicated that no such heads-up was provided, leaving some distributions without fixes ready at the time of disclosure. One contributor noted that older long-term support kernel branches had yet to receive backported patches, forcing developers to rely on temporary mitigations, including disabling affected cryptographic modules.

The result is a compressed response window in which defenders must scramble to deploy updates while attackers can immediately leverage publicly available exploit code.

That dynamic is reflected in CISA‘s unusually swift inclusion of the flaw in its exploited vulnerabilities list, signaling that the issue poses a significant and immediate risk. CISA has given U.S. federal agencies two weeks to apply patches, in line with Binding Operational Directive 22-01, and has also urged all organizations to prioritize remediation.

Linux vendors have begun rolling out kernel updates to address the flaw. However, with exploit code already in the wild, users running older or unpatched systems may remain vulnerable until the fixes are applied.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.