Vulnerability Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel zero day vulnerability, tracked as CVE-2026-31431 and nicknamed “Copy Fail,” to its Known Exploited Vulnerabilities catalog. This flaw carries a CVSS score of 7.8 and stems from a logic bug in the algif_aead module within the AF_ALG cryptographic subsystem. The vulnerability causes improper memory handling during in place operations, allowing an unprivileged local user to escalate privileges to root using a simple 732 byte Python script.
Impact and Scope
This flaw affects every major Linux distribution running kernels built since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE 16, Debian, Fedora, and Arch Linux. The attack chain exploits the interaction between the AF_ALG socket interface, the splice() system call, and improper error handling during a failed copy operation. This results in a controlled 4 byte overwrite in the kernel page cache, allowing attackers to corrupt setuid binaries and other sensitive data entirely within kernel space.
Mitigation and Response
CISA added this vulnerability to its KEV catalog on May 1, 2026, with a mandatory remediation deadline of May 15, 2026, for all federal civilian agencies. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. Organizations running Red Hat Enterprise Linux can apply configuration level mitigations. Security teams are urged to audit Linux kernel versions across cloud workloads, container environments, and on premises infrastructure without delay, as active exploitation in the wild has been confirmed.
Source: Cybersecuritynews
