GoKawiilThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed Linux vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities catalog on May 1st, warning that the flaw, tracked as CVE-2026-31431, is already being used in active attacks and urging rapid patching across affected systems.
The vulnerability resides in the Linux kernel‘s “algif_aead” cryptographic interface and allows unprivileged local users to escalate privileges to root. In practice, this means an attacker with limited access to a system can gain full administrative control.
Security researchers at Theori disclosed the flaw publicly last week, releasing a working proof-of-concept exploit alongside their findings. According to the team, the exploit is “100% reliable” and functions without modification across multiple major Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. That level of portability is unusual and lowers the barrier for attackers seeking to weaponize the bug.
Article continues below
At a technical level, the bug enables attackers to write controlled data into the kernel‘s page cache, a low-level memory structure, ultimately allowing privilege escalation. While the exploit requires local access, it still allows attackers to break out of standard user restrictions and gain full control of the system.
Compounding the risk, a discussion on the Openwall oss-security mailing list suggests that the vulnerability and the working exploit were publicly disclosed without prior coordination with Linux distribution maintainers. In typical responsible disclosure processes, vendors are given advance notice to prepare and distribute patches before technical details are made public.
In this case, however, maintainers indicated that no such heads-up was provided, leaving some distributions without fixes ready at the time of disclosure. One contributor noted that older long-term support kernel branches had yet to receive backported patches, forcing developers to rely on temporary mitigations, including disabling affected cryptographic modules.
The result is a compressed response window in which defenders must scramble to deploy updates while attackers can immediately leverage publicly available exploit code.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
That dynamic is reflected in CISA‘s unusually swift inclusion of the flaw in its exploited vulnerabilities list, signaling that the issue poses a significant and immediate risk. CISA has given U.S. federal agencies two weeks to apply patches, in line with Binding Operational Directive 22-01, and has also urged all organizations to prioritize remediation.
... continue reading