~/home/news/cisa-flags-critical-linux-lpe-2026-05-05
newsTuesday, May 5, 20268 min read👁 18 views

CISA Flags Critical Linux LPE ‘Copy Fail’ (CVE-2026-31431) as Actively Exploited

The U.S. CISA added CVE-2026-31431, known as “Copy Fail”, to its KEV catalog after confirming active exploitation. The flaw gives any local user a trivial path to root on Linux kernels from 2017 onward, affecting servers, desktops, and containers.

CVE-2026-31431LinuxPrivilege EscalationCISA KEVContainer Security

Overview/Introduction

On May 3, 2026 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that the Linux kernel privilege-escalation bug CVE-2026-31431, nicknamed “Copy Fail”, has been elevated to the agency’s Known Exploited Vulnerabilities (KEV) catalog. The addition confirms that threat actors are already leveraging the flaw in the wild. Copy Fail is a nine-year-old logic error that allows an unprivileged user to corrupt the kernel’s page cache and execute arbitrary code with root privileges. Because the exploit relies solely on legitimate system calls-no race conditions, no heap spraying, no complex ROP chains-the barrier to entry is dramatically lower than for most kernel bugs.

Technical Details (CVE, Attack Vector, Exploitation Method)

CVE Identifier: CVE-2026-31431
CVSS v3.1 Base Score: 7.8 (High) - though many experts consider the real-world risk “critical” due to the ease of exploitation and the breadth of affected platforms.

The vulnerability resides in the Linux kernel’s AF_ALG cryptographic template implementation. Three seemingly innocuous patches introduced in 2011, 2015, and 2017 altered the way the kernel transfers resources between “spheres” (user-space and kernel-space). The combined effect is a logic flaw that permits an attacker to write a 732-byte payload into the in-memory page cache of any readable file, including set-uid binaries such as /usr/bin/su or /bin/ping. Because the page cache is the live representation of executable code, corrupting it effectively modifies the binary at execution time without touching the on-disk image.

Exploitation steps are straightforward:

  1. Open a readable file (or a set-uid binary) with open().
  2. Map the file into memory using mmap() and obtain a writable pointer via the AF_ALG socket interface.
  3. Write the malicious payload (often a few hundred bytes) into the page cache.
  4. Execute the now-tainted binary; the kernel runs the injected code with the binary’s original privileges-typically root.

Public proof-of-concept (PoC) code has been released in three languages-Python, Go, and Rust-each demonstrating a fully functional exploit that runs in under a second on an unpatched system. An excerpt from the Python PoC illustrates the minimalism of the attack:

import socket, mmap, os

# Open a setuid binary
fd = os.open('/usr/bin/su', os.O_RDONLY)
# Create AF_ALG socket for AES
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
# Bind to the "aead" type (requires algif_aead module)
# ...
# mmap the file and overwrite first 732 bytes
mm = mmap.mmap(fd, 732, mmap.MAP_PRIVATE, mmap.PROT_WRITE)
mm[:] = b'\x90'*732  # NOP sled + shellcode
mm.close()
os.execv('/usr/bin/su', ['su'])

The exploit does not rely on timing or guessing kernel addresses, making it reliable across kernel versions 6.18.x, 6.19.x, and the newly released 7.0 series-provided the kernel is not patched.

Impact Analysis (Who Is Affected, How Severe)

The bug affects all major Linux distributions that ship kernels released after 2017 and that include the algif_aead module (the default for most distributions). This includes, but is not limited to:

  • Ubuntu LTS releases (18.04, 20.04, 22.04)
  • Debian stable and testing branches
  • Red Hat Enterprise Linux 8/9 and CentOS Stream
  • SUSE Linux Enterprise Server and openSUSE
  • Alpine Linux (commonly used in containers)
  • All cloud-native platforms that run Linux containers (Docker, LXC, Kubernetes)

Because the vulnerability can be triggered by any local, non-privileged user, the risk is highest on multi-tenant servers, shared development workstations, and container hosts where untrusted code may execute. In containerized environments, the flaw can break out of the namespace isolation: an attacker who gains a foothold inside a container can corrupt the host’s page cache and obtain root on the underlying node, compromising the entire cluster.

Given the ease of exploitation and the critical assets at stake (root access to servers, control of Kubernetes master nodes, exposure of sensitive data), the practical severity is considered critical despite the CVSS rating.

Timeline of Events

  • 2011, 2015, 2017: Three independent kernel patches introduce the resource-transfer logic that later composes the bug.
  • Early 2026: Security researchers at Theori and Xint independently discover the logic flaw and name it “Copy Fail”.
  • March 2026: Public disclosure of CVE-2026-31431 with initial PoC in Python.
  • April 2026: Additional PoCs released in Go and Rust; open-source repositories on GitHub begin hosting the exploit code.
  • May 3, 2026: CISA adds CVE-2026-31431 to the KEV catalog, citing evidence of active exploitation in the wild.
  • May 5, 2026: Linux kernel maintainers release patches in versions 6.18.22, 6.19.12, and 7.0 that fully address the issue.

Mitigation/Recommendations

Organizations should treat this vulnerability as an immediate priority. Recommended actions:

  1. Patch the kernel: Upgrade to Linux kernel 6.18.22, 6.19.12, or any later 7.x release. Verify the patch includes the commit that removes the faulty resource-transfer path (commit c1f2e9b in the mainline tree).
  2. Disable the algif_aead module if not needed: Add blacklist algif_aead to /etc/modprobe.d/blacklist.conf and rebuild initramfs.
  3. Enforce mandatory access controls: Enable SELinux in enforcing mode or AppArmor profiles that restrict access to /dev/alg and limit AF_ALG socket creation to trusted users.
  4. Container hardening: Run containers with --security-opt=no-new-privileges, drop capabilities (e.g., CAP_SYS_ADMIN), and disable the AF_ALG subsystem on the host (unload algif_aead before starting the container runtime).
  5. Audit for exploitation: Look for unexpected modifications of page-cache-backed binaries. Use tools such as auditd to watch for mmap with write permissions on set-uid files, and monitor execve events for binaries that have been recently modified.
  6. Apply host-level integrity monitoring: Solutions like Tripwire, AIDE, or the Linux Integrity Measurement Architecture (IMA) can detect unauthorized changes to binaries in memory.

For environments where patching is delayed (e.g., legacy embedded devices), the safest temporary mitigation is to unload or blacklist the algif_aead module and enforce strict user isolation.

Real-World Impact (How This Affects Organizations/Individuals)

Enterprises running Linux-based workloads-especially those in public cloud, SaaS platforms, or internal data centers-face a clear path for privilege escalation that bypasses many traditional hardening controls. A malicious insider or a compromised low-privilege service can gain root in seconds, potentially:

  • Steal encryption keys stored in memory.
  • Install persistent backdoors on the host and propagate across the cluster.
  • Escalate to cloud-provider metadata services, exfiltrating credentials.
  • Disrupt critical services by tampering with system binaries.

In container-orchestrated environments, the breach can spread laterally: a compromised pod can corrupt the host kernel, affecting all other pods and possibly the entire Kubernetes control plane. This has direct implications for compliance regimes (PCI-DSS, HIPAA, GDPR) that require strict separation of duties and protection of privileged access.

Expert Opinion

From a senior analyst’s perspective, Copy Fail marks a shift in the threat landscape for Linux. Historically, kernel LPEs required deep knowledge of race conditions, heap grooming, or precise address leakage. CVE-2026-31431 democratizes kernel exploitation: the required primitives are part of the standard glibc API, and the exploit code is already publicly available.

The inclusion of this bug in CISA’s KEV catalog serves as a strong signal to the industry: organizations must treat kernel hygiene with the same urgency as application-level vulnerabilities. The fact that the flaw persists across multiple major kernel releases underscores a systemic challenge in kernel development-small, isolated changes can combine into high-impact bugs years later.

Going forward, I expect:

  • Increased scrutiny of the AF_ALG subsystem, potentially leading to a redesign or stricter default policies.
  • Greater adoption of kernel-level integrity tools (e.g., IMA, eBPF-based monitoring) to detect anomalous page-cache writes.
  • More aggressive container-runtime hardening, with vendors disabling unnecessary kernel modules by default.

Until the ecosystem fully patches and hardens against Copy Fail, the safest posture is rapid kernel updates, module blacklisting, and strict privilege separation for any code that runs with user-level access on production systems.