"Copy Fail" Lands on CISA's KEV: A Nine-Year-Old Linux Bug Becomes a Patch Deadline
CISA adds nine-year-old Linux kernel privilege escalation bug CVE-2026-31431 to KEV catalog with working PoC.
Summary
On May 1, 2026, CISA added CVE-2026-31431 ("Copy Fail"), a local privilege escalation vulnerability in the Linux kernel's algif_aead cryptographic module, to its Known Exploited Vulnerabilities catalog. The bug, present since 2017 and affecting all major Linux distributions, allows unprivileged users to achieve root access through a 4-byte kernel page cache overwrite via AF_ALG sockets and splice() syscalls. With a public 732-byte Python proof-of-concept, multiple language ports already circulating, and in-the-wild exploitation observed, federal agencies must patch by May 15, 2026 under BOD 22-01, while container and Kubernetes environments face particular risk.
Full text
On May 1, 2026, CISA added CVE-2026-31431, better known as "Copy Fail," to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian agencies have until May 15 to patch under BOD 22-01. Everyone else should read that deadline as a strong hint. Copy Fail is a local privilege escalation bug in the Linux kernel's algif_aead cryptographic module, the userspace crypto API exposed through AF_ALG. It carries a CVSS score of 7.8 and has quietly existed since 2017, affecting essentially every mainstream distribution: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, and others. The mechanics are uncomfortably elegant. By chaining AF_ALG sockets with the splice() syscall and a botched error path, an unprivileged user can land a controlled 4-byte overwrite in the kernel page cache. That is enough to corrupt a setuid binary and walk straight to UID 0. Theori, the firm that disclosed the bug on April 29, published a 732-byte Python proof of concept they describe as "100% reliable" across major distros. Go and Rust ports have already shown up in open-source repositories, and Microsoft Defender is reporting preliminary in-the-wild testing activity. Container operators should pay particular attention. Exploitation needs no kernel modules, no special capabilities, and no network access, which makes it a clean post-exploitation step inside Kubernetes pods, Docker CI runners, and shared multi-tenant hosts. A foothold that used to be a nuisance now becomes a root shell. Patches are available in kernel versions 6.18.22, 6.19.12, and 7.0. Practical priorities: Inventory kernel versions across hosts, containers, golden images, and self-managed cloud VMs. Running fleets and AMIs are separate problems. Patch and reboot, then verify the kernel version actually changed. Where patching lags, restrict local code execution paths: tighten container runtime policies, audit who can land jobs on CI runners, and review SSH access. Refresh base images so tomorrow's autoscaled nodes are not vulnerable replacements for today's fixed ones. KEV is a triage signal, not a vulnerability encyclopedia. When something this trivially exploitable lands on the list with a working PoC already public, it is worth treating the deadline as your deadline too.
Indicators of Compromise
- cve — CVE-2026-31431