High

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the critical Linux kernel zero-day vulnerability CVE-2026-31431, also known as “Copy Fail,” to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation. The flaw carries a CVSS score of (High) and is categorized under CWE-699 (Incorrect Resource Transfer Between Spheres). It affects the algif_aead module within Linux’s AF_ALG cryptographic subsystem, where a logic error in the authentication cryptographic template leads to improper memory handling during in-place cryptographic operations. Due to its active exploitation status, CISA has ordered immediate remediation, requiring U.S. federal civilian agencies to patch affected systems by May 15, 2026, or discontinue their use.

What makes this vulnerability particularly severe is its simplicity and reliability. Security researchers demonstrated that a 732-byte Python exploit is sufficient for an unprivileged local user to escalate privileges to root access. The vulnerability stems from the interaction between the AF_ALG socket interface, the splice() system call, and flawed error handling during failed copy operations. This chain enables a controlled 4-byte overwrite in the kernel page cache, allowing attackers to corrupt setuid binaries and other sensitive kernel-managed structures entirely within kernel space. Because the exploit operates at the kernel level, it bypasses many traditional user-space protections and security monitoring mechanisms.

The flaw has remained hidden for nearly nine years, originating from three separate Linux kernel code changes introduced in 2011, 2015, and 2017. While each individual change appeared harmless, their combined interaction created the exploitable condition. The vulnerability impacts virtually all major Linux distributions running kernels built since 2017, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE Linux, Debian, Fedora, and Arch Linux. Its ability to execute without root privileges, kernel module loading, or network access makes it especially dangerous in modern containerized environments such as Kubernetes clusters and Docker CI/CD runners.

Patches are now available in Linux kernel versions 6.18.22, 6.19.12, and 7.0, and organizations are strongly advised to upgrade immediately. For environments running Red Hat, temporary configuration-level mitigations can reduce exposure while patch deployment is underway. CISA has further instructed organizations to follow BOD 22-01 guidance for cloud-hosted services and discontinue use of unpatched systems where mitigation is not possible. Security teams should urgently conduct kernel version audits across cloud workloads, on-premises servers, containers, and CI/CD infrastructure to identify vulnerable systems, as confirmed in-the-wild exploitation makes this a high-priority threat requiring immediate action.