CISA warned that threat actors are actively exploiting the “Copy Fail” Linux kernel vulnerability (CVE-2026-31431) days after Theori published a 100% reliable PoC exploit that can root multiple major distributions. Federal agencies must patch affected systems by May 15 under BOD 22-01, and CISA urged all organizations to prioritize updates or mitigations to prevent unprivileged users from gaining root. #CVE-2026-31431 #CopyFail
Keypoints
- The vulnerability (CVE-2026-31431) exists in the algif_aead cryptographic interface and allows local unprivileged users to gain root by writing four controlled bytes to the page cache of any readable file.
- Theori released a Python PoC they describe as “100% reliable,” demonstrating root on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
- Theori says the same exploit works unmodified on any vulnerable Linux kernel built since 2017, putting essentially all mainstream distributions in scope.
- CISA added the flaw to its KEV catalog and ordered federal civilian agencies to patch within two weeks (by May 15) under Binding Operational Directive 22-01.
- Organizations should apply vendor mitigations or patch immediately, following BOD guidance for cloud services or discontinuing use if no mitigation is available.