Full Report
CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit. [...]
Analysis Summary
# Vulnerability: "Copy Fail" Linux Kernel Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** Not explicitly listed in text, but categorized as "High" severity/Critical impact (enables root access).
- **CWE:** Included in the Linux kernel's `algif_aead` cryptographic interface (likely related to Buffer Overflow or Memory Corruption).
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Essentially every mainstream Linux distribution shipped since 2017 until the patch date (May 2026).
- **Configurations:** Systems utilizing the `algif_aead` cryptographic algorithm interface.
- **Confirmed Distros:**
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
- Any other distribution using a vulnerable kernel version from 2017 onwards.
## Vulnerability Description
The "Copy Fail" flaw exists in the `algif_aead` cryptographic algorithm interface of the Linux kernel. The vulnerability allows an unprivileged local user to write four controlled bytes to the page cache of any readable file. By manipulating these bytes, an attacker can corrupt sensitive system files or memory structures in the page cache to elevate their privileges to root.
## Exploitation
- **Status:** Exploited in the wild; Proof-of-Concept (PoC) available.
- **Complexity:** Low (A single "100% reliable" Python script works across different distributions).
- **Attack Vector:** Local (Requires initial access to the system as an unprivileged user).
## Impact
- **Confidentiality:** High (Full system access/root privileges).
- **Integrity:** High (Ability to modify any file on the system).
- **Availability:** High (Ability to crash the system or modify critical boot files).
## Remediation
### Patches
- **Mainstream Linux Distributions:** Major vendors (Ubuntu, Red Hat, SUSE, Amazon) have begun pushing kernel updates. Users should update their Linux kernel to the latest version provided by their distribution maintainers immediately.
- **FCEB Agencies:** Must patch by May 15, 2026, per CISA mandate.
### Workarounds
- **No specific technical workarounds** were provided in the article other than applying official kernel updates or discontinuing use of the product if unpatched.
## Detection
- **Indicators of Compromise:** Look for unauthorized privilege escalation events or unusual modifications to system files that should only be accessible by root.
- **Detection methods and tools:** Monitor for use of the `algif_aead` interface by unprivileged processes. CISA recommends prioritizing this CVE in vulnerability scans.
## References
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Theori Research Advisory: hxxps[://]copy[.]fail/
- Debian Security Tracker: hxxps[://]security-tracker[.]debian[.]org/tracker/CVE-2026-31431
- BleepingComputer Article: hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems/