U.S. CISA Linux Copy Fail Flaw to Exploited Bug List

Image credit: Unsplash

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a major Linux kernel flaw known as “Copy Fail” to its Known Exploited Vulnerabilities catalog after signs of active exploitation.

The flaw, tracked as CVE-2026-31431, is a local privilege escalation bug that can let an unprivileged user gain root access on affected Linux systems. CISA added it to the KEV catalog on May 1, with federal agencies given a remediation deadline later this month.

Flaw Affects Major Linux Distributions

Copy Fail affects several major Linux distributions, including Red Hat, SUSE, Ubuntu and AWS Linux, according to Microsoft Defender researchers. The company said the flaw touches a large share of cloud Linux workloads and millions of Kubernetes clusters.

The bug sits in the Linux kernel’s crypto subsystem, specifically in the algif_aead / AF_ALG path. Microsoft said it can let an attacker corrupt the page cache of a readable file, including setuid binaries, and then use that corruption to run code with root privileges.

The issue is not remotely exploitable by itself. An attacker first needs local code execution or low-privilege access, such as a container foothold, SSH access or a malicious CI job. From there, the bug can be used to escalate to root.

Researchers Say the Exploit is Unusually Reliable

Xint said the flaw lets an unprivileged local user trigger a deterministic four-byte write into the page cache of any readable file, building on research by Theori’s Taeyang Lee. Their proof-of-concept exploit used a 732-byte Python script to gain root on tested systems including Ubuntu, Amazon Linux, RHEL, and SUSE.

That reliability is what has drawn so much attention. Xint said the exploit does not rely on race conditions, version-specific offsets, recompilation or repeated attempts. It also leaves the file unchanged on disk, which means standard file-integrity checks can miss the in-memory corruption.

The flaw also carries container security risk. Xint said the same technique can cross container boundaries because page cache is shared across the host, making it a possible path to Kubernetes node compromise.

Patch Race is Now Under Way

The upstream Linux fix was committed on April 1, according to CERT-EU. The advisory said the flaw came from an in-place optimization introduced in 2017 and affects mainstream Linux distributions running kernels built before patched versions are applied.

CERT-EU urged immediate mitigation, especially for Kubernetes nodes and CI/CD runners exposed to untrusted workloads. Microsoft also advised organizations to identify affected systems, apply vendor patches where available and use temporary mitigations such as disabling affected features, tightening access controls or isolating exposed systems where patches are not yet available.

CISA’s KEV listing raises the urgency. Federal agencies must resolve the issue by May 15, while private organizations are being urged to prioritize patching because KEV entries are based on known exploitation activity.

Cloud and Crypto Operators Face Added Risk

The flaw matters beyond standard Linux servers because many cloud, exchange, validator, wallet and infrastructure environments rely heavily on Linux, containers and CI/CD systems.

For crypto firms, the immediate risk is not a direct blockchain exploit. It is infrastructure compromise. A local foothold on a vulnerable Linux host could turn into root access, giving attackers a path to hot wallet systems, build pipelines, signing services, validator nodes or internal cloud workloads.

That makes Copy Fail an urgent operational security issue for organizations running exposed Linux infrastructure. Organizations running Linux fleets should review vendor advisories, patch vulnerable kernels, revisit container isolation assumptions and treat exposed CI/CD runners as urgent remediation targets.