CISA flags Copy Fail Linux kernel flaw with active exploitation

CISA added a Linux kernel privilege-escalation flaw tracked as CVE-2026-31431 and nicknamed "Copy Fail" to its Known Exploited Vulnerabilities catalog on May 1, confirming active exploitation. The agency ordered U.S. federal agencies to patch within two weeks.

The vulnerability lives in the Linux kernel's "algif_aead" cryptographic interface. An unprivileged local user can exploit it to write controlled data into the kernel's page cache and escalate to root. Security research firm Theori discovered the flaw and released a working proof-of-concept alongside public disclosure. The team described the exploit as 100% reliable with no modification required.

The cross-distro blast radius is significant. Theori confirmed the exploit works unchanged on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. That portability eliminates most friction between vulnerability discovery and weaponized attack: an adversary with any foothold on a shared GPU cluster, container host, or CI pipeline gets root.

The disclosure process inverted standard norms. Theori published the exploit without advance coordination with Linux distribution maintainers, giving vendors no lead time to ready patches. Older long-term support kernel branches had no backported fixes when exploit code appeared online. Maintainers were forced to disable the affected cryptographic modules while rushing patch backports.

For enterprise teams, exposure is broader than a simple patch directive. Any environment where Linux hosts are shared — multi-tenant inference clusters, Kubernetes nodes with multiple service accounts, data-science environments with SSH access for multiple researchers — should treat this as a live incident. Local access is all an attacker needs. A compromised developer account, a malicious container breakout, or lateral movement from a lightly secured baseboard management controller all satisfy that prerequisite.

CISA's two-week federal mandate aligns with Binding Operational Directive 22-01, the standing order governing remediation timelines for catalogued exploited vulnerabilities. Private-sector organizations are not legally bound, but CISA explicitly urged all organizations to prioritize the fix. Linux vendors have issued kernel updates. The risk window closes once systems are rebooted.

The uncoordinated disclosure raises a secondary question for security and legal teams: if Theori's approach becomes precedent, enterprises need vendor-monitoring workflows that detect KEV additions within hours, not days. Patch management SLAs built around a 30-day remediation window are structurally insufficient. Two weeks is the new floor—and attackers already have the code.