CVE-2026-31431: Copy Fail, the Linux vulnerability exploited to obtain root privileges

CISA Warns of Ongoing Exploitation of "Copy Fail" Vulnerability in Linux

The CISA has warned that threat actors are already exploiting the "Copy Fail" vulnerability in the wild, just 24 hours after public disclosure by Theori researchers. The flaw, identified as CVE-2026-31431, affects the algif_aead interface of the Linux kernel's cryptographic algorithm, allowing unprivileged local users to obtain root privileges on unpatched systems.

Rapid Response

A 100% Reliable Python Exploit Hits Major Distributions

Theori researchers published a Python-based exploit on Thursday described as "100% reliable," effective against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. The script also works against other Linux distributions released since 2017 with vulnerable kernel versions.

The Problem of Patches Not Yet Available

Will Dormann, principal analyst at Tharros, noted that official updates were not available at the time of Theori's advisory publication. This created a window of opportunity for threat actors before patches could be distributed and applied.

CISA Adds Vulnerability to KEV Catalog

On Friday, CISA added the Copy Fail vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by Binding Operational Directive (BOD) 22-01.

Significant Risks to Federal Enterprise

CISA emphasized that such vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. The agency recommended applying mitigations per vendor instructions, following relevant BOD 22-01 guidelines for cloud services, or ceasing use of the product if mitigations are unavailable.

Another High-Risk Vulnerability Patched

Earlier this month, Linux distributions patched another high-risk root privilege escalation vulnerability, identified as CVE-2026-41651 and nicknamed Pack2TheRoot, which had been present for over a decade in the PackageKit daemon.

Implications for Linux Network Security

While BOD 22-01 applies only to U.S. government agencies, CISA urged all security teams to secure their networks as soon as possible, prioritizing patches for CVE-2026-31431. The discovery of this vulnerability underscores the importance of keeping Linux systems updated and applying security patches as soon as they are available.

The Urgency of Applying Patches

The timing of the vulnerability disclosure and subsequent exploitation highlights the urgency of applying security patches. Organizations using Linux distributions must act quickly to protect their systems from potential attacks exploiting this vulnerability.

Impact on Mainstream Linux Distributions

Theori stated that the same exploit script works unmodified on every mainstream Linux distribution. This means any system with a kernel built between 2017 and the patch release date is potentially vulnerable. Organizations must verify the kernel versions of their systems and apply the appropriate patches.

The Need for Proactive Vulnerability Management

This incident underscores the importance of proactive vulnerability management in cybersecurity. Organizations must actively monitor vulnerability disclosures, assess their risk, and apply security patches in a timely manner to prevent potential compromises.

Considerations for Organizations Using Linux

Organizations using Linux distributions must prioritize the security of their systems. This includes monitoring vulnerability disclosures, assessing potential impact on their infrastructure, and applying security patches promptly. Additionally, organizations should consider implementing additional security measures such as network segmentation and monitoring for suspicious activity.