Linux ‘Copy Fail’ Under Active Attack: CISA Sets May 15 Patch Deadline

On May 1, 2026, CISA added CVE-2026-31431—nicknamed "Copy Fail"—to its Known Exploited Vulnerabilities (KEV) catalog, confirming that this Linux kernel privilege escalation flaw is being exploited in the wild. The federal agency has mandated that U.S. federal civilian agencies apply patches by May 15, 2026. The vulnerability is exceptionally potent: a Python script of roughly 732 bytes allows a local user to gain root privileges on nearly every major Linux distribution released since 2017. By manipulating the in-memory page cache without writing to disk, the attack remains nearly invisible to traditional security tools.

The Mechanics of Page Cache Corruption

The vulnerability resides within the AF_ALG cryptographic subsystem, specifically the algif_aead interface designed for AEAD operations. When combined with the splice() system call and the authencesn algorithm, an attacker can insert pages from the page cache of readable files into a scatterlist that the system erroneously treats as writable. During in-place decryption, authencesn uses the destination buffer as scratch space, writing 4 bytes beyond the intended boundary.

This controlled write deterministically corrupts the in-memory page cache of the target file—such as an active setuid binary—without marking the pages as "dirty." Consequently, the kernel continues to execute the altered binary in RAM, granting the attacker root privileges. Because the physical file on disk remains untouched, the compromise disappears upon reboot, leaving behind very few forensic artifacts.

Technical analysis from xint.io suggests the vulnerability is the result of a chain of three separate changes introduced to the upstream code in 2011, 2015, and 2017. This explains why nearly every mainstream distribution is currently exposed, as they all share this specific path within the cryptographic subsystem.

The proof-of-concept exploit is condensed into a 732-byte Python script, totaling about ten lines of code. Researchers at Theori demonstrated that the exact same file works unmodified on Ubuntu, Amazon Linux, RHEL, and SUSE, consistently achieving root access in every test case.

"Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution" — Theori researchers (via BleepingComputer)

Stealth and Cross-Container Risks

The most dangerous characteristic of Copy Fail is its total lack of disk persistence. Because corruption occurs exclusively in the in-memory page cache and the kernel does not flag the altered pages as dirty, no write operations are triggered on the storage blocks. As Google-owned Wiz observed, "Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk."

This behavior makes the attack extremely difficult to detect via standard filesystem monitoring, integrity hashes, or traditional endpoint protection platforms. The effect is transient: once the system reboots, the original binary is reloaded from disk, erasing all traces of manipulation. For security teams, this means forensic evidence is largely limited to volatile memory.

Furthermore, the sharing of the page cache between hosts and containers amplifies the risk. Kaspersky has noted that Docker, LXC, and Kubernetes environments expose the AF_ALG subsystem to internal processes by default. A single compromised container can therefore inject corruption into the host's page cache, bypassing isolation and gaining total control over the physical node.

In multi-tenant infrastructures, such as cloud platforms or nodes dedicated to cryptographic workloads, the compromise of one tenant can translate immediately into cross-container root access. The combination of stealth and portability transforms a local flaw into a large-scale infrastructure threat.

Evidence of Active Exploitation

CISA formalized the emergency by adding CVE-2026-31431 to the KEV catalog on May 1, 2026, confirming active exploitation in the wild. The agency activated Binding Operational Directive 22-01, giving federal agencies only two weeks to remediate. Such a short window highlights the gravity of the threat.

The responsible disclosure process followed a compressed timeline. According to crypto.news, Theori submitted a private report to the Linux kernel security team on March 23, 2026. A mainline patch was released on April 1, and the CVE was assigned on April 22. This rapid pace left little room for backporting before active exploitation began.

Simultaneously, the Microsoft Defender Security Research Team stated it is "seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days." This suggests threat actors are currently refining the exploit for broader campaigns. It remains unclear if the attacks observed by CISA represent a wide-scale operation or targeted preliminary weaponization.

While the vulnerability received a CVSS score of 7.8—placing it in the "High" rather than "Critical" bracket—experts argue that the simplicity, universality, and lack of user interaction required make the practical risk significantly higher than the score suggests.

Recommended Actions

• Update immediately to Linux kernel versions 6.18.22, 6.19.12, and 7.0, or equivalent backported patches, prioritizing internet-facing or multi-user systems.
• Prioritize patching for Docker, LXC, and Kubernetes nodes, where page cache sharing exposes the host to container escapes.
• Verify if the algif_aead module is loaded in production environments; the vulnerability can only be exploited where the AF_ALG subsystem is active.
• Enhance kernel and memory-level monitoring, as disk-based integrity checks are insufficient for detecting this exploit.

Copy Fail illustrates how a series of seemingly minor kernel changes can evolve into a universal, nearly invisible attack vector years later. The combination of total portability, microscopic exploit size, and zero disk footprint lowers the barrier for attackers to dangerous levels across all Linux environments. CISA’s two-week deadline is a sobering confirmation that the risk is immediate, and a vulnerability window open since 2017 must be closed without delay.

Frequently Asked Questions

Does the exploit require physical or remote access?

This is not a remote exploit. It is a local privilege escalation (LPE) flaw, meaning an attacker must first gain an initial foothold on the system, such as through a compromised SSH session or a malicious CI job.

Why don't antivirus or EDR tools detect the attack?

Because the corruption occurs only in the in-memory page cache without writing to the disk, filesystem integrity checks and traditional signatures fail to see the modification. Specialized kernel or memory monitoring is required.

Are isolated containers really at risk without privileges?

Yes. The page cache is shared between the host and its containers, and the AF_ALG subsystem is typically accessible to containerized processes. An unprivileged container can corrupt host setuid binaries to force an escape.

Information has been verified against cited sources and is current as of the date of publication.

Sources

• https://www.bleepingcomputer.com/news/security/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems/
• https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
• https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
• https://crypto.news/cisa-adds-linux-copy-fail-flaw-to-exploited-bug-list/
• https://xint.io/blog/copy-fail-linux-distributions