Skip to content
Tech News
← Back to articles

CISA says ‘Copy Fail’ flaw now exploited to root Linux systems

2026-05-04 | original
read original get Linux Kernel Security Patch → more articles
Why This Matters

The 'Copy Fail' vulnerability in the Linux kernel has been actively exploited, allowing unprivileged users to gain root access across multiple Linux distributions. This highlights the urgent need for timely patching and updates to prevent potential widespread breaches, especially within federal and enterprise environments. The incident underscores the importance of proactive security measures and rapid response to emerging vulnerabilities in the tech industry.

Key Takeaways

CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit.

Tracked as CVE-2026-31431, this security flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file.

Theori researchers disclosed it on Thursday and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.

However, they also added that the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.

"Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution," Theori said. "If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope."

While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann, noted on Thursday that there were no "official updates" when Theori published its advisory.

Getting root shell on four Linux distros (Theori)

On Friday, CISA added the Copy Fail security flaw to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by Binding Operational Directive (BOD) 22-01.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

... continue reading

Explore topics: cisa copy fail linux kernel theori cve-2026-31431
Related:
US government warns of severe CopyFail bug affecting major versions of Linux
CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros — unpatched systems may remain vulnerable to attack
Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers
"Copy Fail" is a rare Linux bug that can turn an unprivileged user into a root admin in seconds
Severe Linux Copy Fail security flaw uncovered using AI scanning help

© 2026 GoKawiil

About | Editorial Policy | Contact