Copy Fail: 9-year-old Linux kernel bug grants trivial root, now in CISA KEV

CISA added CVE-2026-31431, dubbed Copy Fail, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The flaw is a local privilege escalation in the Linux kernel’s authenticated cryptographic template, born from three individually benign commits landed in 2011, 2015, and 2017. A 732-byte Python script reliably corrupts the in-memory page cache with a 4-byte overwrite, letting any unprivileged user rewrite setuid binaries like /usr/bin/su at execution time and walk out as root. Fixes ship in kernel 6.18.22, 6.19.12, and 7.0.

The blast radius is the entire post-2017 Linux distribution base, with cloud and container workloads particularly exposed. Docker, LXC, and Kubernetes by default expose the AF_ALG subsystem to container processes when algif_aead is loaded on the host, turning Copy Fail into a clean container escape. Exploitation needs no race wins or address guessing, and uses only legitimate syscalls — which makes behavioral detection a losing game. Working PoCs in Python, Go, and Rust are already circulating in open-source repos.

Microsoft Defender researchers report preliminary testing activity and expect a ramp in active exploitation. Chained with SSH footholds, poisoned CI jobs, or compromised containers, this becomes a clean path from low-priv access to host root. FCEB agencies have until May 15, 2026 to patch; everyone else should patch now or, failing that, disable algif_aead and tighten container access to AF_ALG.