A nine-year-old logic bug in the Linux kernel is now under active exploitation, triggering a CISA Known Exploited Vulnerabilities (KEV) catalog listing and a mandatory federal patching deadline of May 15, 2026.
Tracked as CVE-2026-31431, the vulnerability dubbed “Copy Fail” by researchers at Theori and Xint enables any unprivileged local user to gain full root access using a 732-byte Python script, threatening hundreds of millions of Linux systems worldwide.
CVE-2026-31431 is a local privilege escalation (LPE) vulnerability carrying a CVSS score of 7.8 (High). It resides in the Linux kernel’s authencesn cryptographic template an Authenticated Encryption with Associated Data (AEAD) mode where a logic flaw permits an attacker to perform a deterministic, controlled 4-byte write into the kernel’s in-memory page cache of any readable file, including setuid binaries such as /usr/bin/su.
The flaw is classified under CWE-1301 (Incorrect Resource Transfer Between Spheres), meaning the kernel mistakenly exposes protected memory to unprivileged modification.
Because the page cache stores executables in memory, modifying it effectively alters binaries at execution time without ever touching the disk, making the attack both stealthy and highly reliable. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
The vulnerability was not introduced through a single commit; rather, it is the compound result of three individually harmless changes made to the Linux kernel in 2011, 2015, and 2017. The final change, made in 2017, completed the conditions necessary for exploitation, meaning all Linux distributions shipped since 2017 are affected.
Researchers at Xint published a detailed write-up disclosing that the authencesn module, when processing a decryption request, performs a scratch write of authentication tag data before verifying the HMAC.
While the HMAC check eventually fails, the corrupted memory in the page cache persists, allowing an attacker to repeat the process until sufficient shellcode is injected into a targeted privileged binary.
How the Exploit Works
Microsoft’s Defender Security Research Team detailed one confirmed exploitation pathway leveraged in preliminary testing activity already observed in the wild:
- Reconnaissance – The attacker identifies a Linux host or container running a vulnerable kernel version.
- Payload Preparation – A minimal Python script (732 bytes) is prepared targeting the endpoint.
- Low-Privilege Execution – The exploit runs from a regular user context or a compromised container with no special capabilities.
- 4-Byte Page Cache Overwrite – Using
AF_ALGsockets andsplice(), the attacker delivers file-backed pages directly into the cryptographic path, forcing a controlled write into the page cache of/usr/bin/suor any readable setuid binary. - Root Escalation – The process escalates to UID 0, granting full root privileges without any race conditions or memory address guessing.
Critically, Microsoft noted that while the attack vector is local (AV:L) and requires no user interaction, its impact becomes catastrophic when combined with an initial access vector such as SSH access, a malicious CI/CD job, or a container foothold.
This means a compromised container process with no elevated capabilities can exploit this flaw to break container isolation and seize control of the underlying physical host.
Security teams managing multi-tenant servers, Kubernetes clusters, CI/CD pipelines, and cloud SaaS platforms executing user code should treat this as a critical-priority patch.
The attack is also particularly evasive: since the exploit relies exclusively on legitimate system calls, it is extremely difficult to distinguish from normal application behavior using standard security monitoring tools.
PoC Exploit Already in the Wild
Adding urgency to an already difficult situation, Kaspersky confirmed that Go and Rust implementations of the original Python PoC have already been detected in open-source repositories, significantly lowering the barrier to exploitation.
The Microsoft Defender team further warned that it is observing “preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days”.
CISA has not yet disclosed specific details about the identities of active threat actors or confirmed the identities of victim organizations. However, the agency’s KEV listing under Binding Operational Directive (BOD) 22-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies apply available patches by May 15, 2026.
Mitigation
Organizations that cannot immediately apply kernel patches should implement the following interim measures:
- Turn off the
algif_aeadkernel module to prevent access to the vulnerableauthencesnpath - Apply strict access controls to limit local user privileges and reduce the attack surface
- Enforce network isolation to reduce opportunities for attackers to establish the initial access vector required to chain this exploit
- Monitor for anomalous
AF_ALGsocket usage and unexpectedsplice()system call patterns - Update container security policies to restrict
AF_ALGsubsystem access in Docker and Kubernetes environments
All major Linux distributions, including Ubuntu, Red Hat, Debian, SUSE, and Fedora, have pushed kernel updates addressing CVE-2026-31431.
FAQ
Q1: What is CVE-2026-31431 (Copy Fail)?
A logic bug in the Linux kernel’s authencesn cryptographic template allows an unprivileged local user to overwrite the page cache and gain full root access.
Q2: Which Linux versions are affected by Copy Fail?
All Linux distributions shipped since 2017 are vulnerable; fixes are available in kernel versions 6.18.22, 6.19.12, and 7.0.
Q3: Is Copy Fail remotely exploitable?
No, the attack vector is local, but it becomes highly dangerous when chained with SSH access, malicious CI jobs, or container footholds.
Q4: What is the CISA patching deadline for CVE-2026-31431?
CISA has ordered all U.S. federal civilian agencies to remediate CVE-2026-31431 by May 15, 2026, under BOD 22-01.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
