"Copy Fail" Under Active Attack: CISA Issues May 15 Patch Deadline for Linux Kernel Flaw

On May 1, 2026, CISA added CVE-2026-31431—a local privilege escalation (LPE) vulnerability nicknamed "Copy Fail"—to its Known Exploited Vulnerabilities (KEV) catalog. The move confirms that the Linux kernel flaw is currently being exploited in the wild.

The vulnerability allows a low-privileged process to gain root access by corrupting kernel shared memory. Exploitation is highly accessible; a proof-of-concept (PoC) measuring just 732 bytes has already been adapted into Go and Rust variants.

U.S. federal agencies are required to patch the flaw by May 15, 2026. However, the immediate threat extends to all cloud and on-premise containerized infrastructures, where the isolation between guest and host can be collapsed in a matter of seconds.

A Nine-Year-Old Logic Bug in the Cryptographic Module

The vulnerability resides in the algif_aead module of the Linux kernel's AF_ALG subsystem. It was introduced through three separate code changes in 2011, 2015, and 2017, leaving major distributions vulnerable for approximately nine years.

CISA classifies the flaw as an "incorrect resource transfer between spheres" vulnerability. In accordance with BOD 22-01, the agency assigned it a CVSS score of 7.8 and mandated its inclusion in the KEV catalog on May 1, 2026.

This inclusion triggers a mandatory remediation window for federal agencies, ending May 15, 2026. This aggressive timeline places significant pressure on IT teams to rapidly audit and patch their entire Linux fleet.

While this is a local privilege escalation (LPE) vulnerability and cannot be exploited remotely on its own, it is a potent weapon once an attacker gains a foothold on a system or compromises a process already running on the target.

Fileless Root Access: How 4 Bytes Can Topple a System

The attack leverages a logic error to perform a controlled 4-byte overwrite in the page cache of shared memory. This allows an attacker to corrupt the entry point of a setuid binary currently loaded in RAM, such as /usr/bin/su.

"Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk" — Wiz, as reported by The Hacker News

By corrupting the memory image, an attacker achieves code execution with UID 0 without leaving a trace on the physical disk. Because the exploit relies on legitimate system calls, the activity is notoriously difficult for traditional security tools to detect.

While the original PoC was a 732-byte Python script, Kaspersky has already identified Go and Rust variants in open-source repositories. This evolution suggests the exploit is being streamlined for production use, as it requires no complex techniques like race conditions or memory address guessing.

From Container to Host: The Path to Breakout

In Docker, LXC, and Kubernetes environments, internal container processes typically have default access to the AF_ALG subsystem if the algif_aead module is loaded in the host kernel. This exposes the host's attack surface directly to isolated workloads.

According to Kaspersky, "Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine." This risk becomes a reality when an unprivileged process inside a pod gains root access on the underlying host, rendering years of isolation hardening moot.

The mechanism is particularly dangerous because the exploit is stable and repeatable, even in high-density shared environments, due to its lack of reliance on unpredictable memory timing or race conditions.

Threat Intel: Microsoft Defender Warns of Preliminary Activity

The Microsoft Defender Security Research Team reports seeing "preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days," suggesting that the exploitation phase is poised to accelerate.

At this time, there is no specific attribution to known threat actors, and official metrics on the scale of in-the-wild attempts remain unavailable. However, CISA has confirmed that exploitation is occurring.

The discovery of Go and Rust variants by Kaspersky indicates that the threat actor community is actively integrating the PoC into existing attack playbooks. While a massive, large-scale campaign has not yet been confirmed, the convergence of public exploit code and preliminary testing suggests a rapidly expanding risk window.

Mitigation and Response

1. Immediately verify kernel versions across the infrastructure. Consult distribution vendors for patches related to the 6.18.22, 6.19.12, and 7.0 branches, noting that some distributions may still be preparing updates.
2. Implement interim mitigations by disabling the algif_aead module or applying seccomp rules to block the creation of AF_ALG sockets. Organizations should first test the impact on production cryptographic applications that may rely on this subsystem.
3. Audit Kubernetes clusters and container runtimes to identify pods or services accessing the AF_ALG subsystem without a documented operational requirement.
4. Strengthen behavioral monitoring for system call logs. Since the exploit uses legitimate syscalls, detection should focus on anomalous shared memory access and page cache write patterns rather than static indicators of compromise (IoCs).

The operational takeaway is that a single persistent logic flaw in the kernel can undo years of investment in container isolation. For DevOps and SOC teams, the challenge is not just patching by May 15, but establishing visibility into an attack that leaves no artifacts on disk. In this landscape, patching speed must be matched by memory-level monitoring; cloud infrastructure managers must act now before the preliminary activity reported by Microsoft evolves into systematic exploitation.

Frequently Asked Questions

Why is Copy Fail more dangerous in containers than on traditional servers?

In Docker, LXC, and Kubernetes, processes often have default access to the AF_ALG subsystem of the host kernel. This allows an attacker to escape the container's isolation and gain root access to the underlying physical machine. On a traditional server, the same flaw would still require existing local access to the system.

If the exploit doesn't modify files on disk, how can it be detected?

Because the attack uses legitimate system calls and targets the memory-resident page cache, the filesystem remains untouched. Detection must shift from static disk-based indicators to behavioral monitoring of syscalls and identifying anomalies in kernel shared memory access.

Could disabling the algif_aead module break production services?

The operational impact cannot be determined universally. Applications that rely on hardware-accelerated cryptographic functions via AF_ALG may fail. It is essential to test this mitigation in a staging environment before widespread deployment.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
• https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
• https://ebuildersecurity.com/cyber-news/cisa-linux-copy-fail-cve-2026-31431-kev-exploitation/