HIGH: 'Copy Fail' Linux Kernel Bug Lets Locals Get Root, CISA Confirms Active Exploitation (CVE-2026-31431)

If you operate a Linux server, and statistically you do, today is patching day. CISA dropped CVE-2026-31431 into the Known Exploited Vulnerabilities catalog on May 1 with a federal mitigation deadline of May 15, confirming what kernel watchers had been quietly worried about since the bug went public on April 29. The flaw, christened "Copy Fail" by the Theori researcher who found it, lets any unprivileged local user climb to root on essentially every Linux kernel released since 2017. That covers Ubuntu, Red Hat, SUSE, Amazon Linux, Debian, Alpine, and the rest. If your distro shipped after the iPhone 8, you are in scope.

The advisory carries a CVSS v3 score of 7.8, which sounds reassuring until you read the vector string. AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H translates to local access required, low complexity, low privileges, no user interaction, and total compromise of confidentiality, integrity, and availability. The score caps at 7.8 because the attacker has to be on the box already, but in 2026 that is a very low bar. Every shared hosting environment, every Kubernetes node running multi-tenant workloads, every CI runner that executes untrusted pull-request code, every web app server with a remote-shell foothold, all of those qualify. CISA does not add things to KEV without evidence of real-world abuse, and the unusually tight two-week federal deadline for what the score implies tells you everything you need to know about how this is playing out in the wild.

The technical story is a small one with enormous blast radius. The vulnerable code lives in algif_aead, the kernel module that exposes authenticated encryption with associated data through the userspace AF_ALG socket family. The interface lets userland do in-place AEAD operations where source and destination buffers can come from the same memory mapping. The kernel is supposed to refuse the in-place case when the mappings actually differ, and this is where the logic falls apart. By feeding crafted scatter-gather lists where source and destination land in different mappings while the kernel still treats them as in-place, an attacker can persuade the cryptographic path to write controlled bytes into a destination it had no business touching. CWE-669, "Incorrect Resource Transfer Between Spheres," is the textbook label, and it is doing a lot of work here.

The exploitation primitive that falls out of that bug is what makes this one painful. Researchers are describing it as a 732-byte primitive that lets an unprivileged user modify the kernel's page cache copy of any readable file in memory without ever touching the file on disk. If you have read access to a SUID binary, you can rewrite the cached pages of that binary so the next execve runs your code as root. The on-disk file remains untouched and forensically clean, which is exactly why this is going to ruin a lot of people's incident response. Dirty Cow back in 2016 and Dirty Pipe in 2022 both leaned on race conditions or write-position constraints that made them flaky in practice. Copy Fail does not. The public proof of concept on GitHub is a short Python script that works on the first try, every time, with no timing tricks. Taeyang Lee at Theori reportedly discovered it using their AI-assisted analysis tool Xint Code, which is a sentence that should make you slightly uncomfortable about how the next few years of kernel research are going to go.

The timeline is, by upstream standards, fast. Theori reported the bug on March 23. The kernel maintainers had patches in mainline by April 1. The CVE landed on April 22, public disclosure followed on April 29, and CISA put the bug on the KEV list on May 1. Anyone who started patching the day disclosure dropped is in fine shape. Anyone who runs distros that pulled the upstream stable updates within a week is mostly fine. Anyone still running a March kernel on production today, which based on the typical enterprise patching tempo is most of you, has a problem.

Patched kernel versions were issued across every long-term-support branch the kernel team still maintains. The fixed releases are 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12, and the brand-new 7.0 series. Distro builds caught up over the following days. Ubuntu 22.04 and 24.04 shipped fixed kernels in the first week of April, Red Hat pushed RHEL 8 and 9 errata around the same time, SUSE released SLES 15 SP5 and SP6 patches, Amazon Linux 2 and 2023 pulled the upstream fix, Debian Bookworm and Trixie are current, and Oracle Linux UEK followed within days. Container distros are the place to double-check. If you build images on a base that has not been refreshed since March, you are shipping vulnerable kernels into every workload that uses that image, and a privileged container break-in escalates the same way as any other local foothold.

For shops that cannot reboot into a fresh kernel right this minute, two mitigations buy time. The cleanest is disabling the algif_aead module entirely with rmmod algif_aead and a corresponding entry in modprobe.d to block reload. That kills the userspace AEAD interface, which is rarely used outside of specific cryptographic libraries, so the blast radius from removing it is small. If your kernel was compiled with algif_aead built in rather than as a loadable module, which some hardened or container-optimized kernels are, you will need the boot-time approach. Adding initcall_blacklist=algif_aead_init to your kernel command line in GRUB, or the equivalent in your bootloader of choice, prevents the module from initializing at boot. Either approach buys you the patching window without having to pretend nothing is wrong.

Detection is harder than mitigation, which is the genuinely bad news. Because the exploit modifies cached file pages without touching disk, your standard file integrity monitoring agents will see nothing. AIDE and Tripwire and the syscheck module in Wazuh all hash on-disk files, not the kernel's page cache, and the on-disk binary stays clean. The reliable signals live elsewhere. EDR products with kernel-level visibility into module load events should already be alerting on unexpected use of AF_ALG by non-cryptographic processes. Auditd rules looking for socket calls into AF_ALG SOCK_SEQPACKET from binaries that have no business doing crypto are a cheap and effective tripwire, and the audit syntax for that is straightforward. Sigma rules covering the public PoC have been circulating on the usual channels since April 30, and most major detection vendors had coverage shipped by the start of this week. Process execution monitoring also helps. If a non-root user spawns a child process that suddenly runs as uid 0 from a SUID binary they have not legitimately touched in the past, that is the moment something is on fire.

CISA's May 15 mitigation deadline applies to federal civilian agencies, but it is an excellent benchmark for everyone else. Two weeks is generous given the existence of a working public exploit and confirmed in-the-wild use. Any production Linux host you cannot patch by then needs algif_aead disabled today and an honest conversation with whoever owns it about why the patch is taking so long. This is the kind of vulnerability that justifies the patching service you have been trying to sell since the last reorganization. The clients running their own Linux fleets without a managed kernel update program are the ones who will still be unpatched in June, and the ones who will pay any number you quote after a breach. There is also a clean upsell story for managed EDR with kernel-level telemetry, since the on-disk-stealthy nature of Copy Fail is a textbook case study for why agentless or signature-based tooling is not enough on modern Linux workloads.