On May 1, 2026, CISA added CVE-2026-31431, better known as "Copy Fail," to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian agencies have until May 15 to patch under BOD 22-01. Everyone else should read that deadline as a strong hint.
Copy Fail is a local privilege escalation bug in the Linux kernel's algif_aead cryptographic module, the userspace crypto API exposed through AF_ALG. It carries a CVSS score of 7.8 and has quietly existed since 2017, affecting essentially every mainstream distribution: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, and others.
The mechanics are uncomfortably elegant. By chaining AF_ALG sockets with the splice() syscall and a botched error path, an unprivileged user can land a controlled 4-byte overwrite in the kernel page cache. That is enough to corrupt a setuid binary and walk straight to UID 0.
Theori, the firm that disclosed the bug on April 29, published a 732-byte Python proof of concept they describe as "100% reliable" across major distros. Go and Rust ports have already shown up in open-source repositories, and Microsoft Defender is reporting preliminary in-the-wild testing activity.
Container operators should pay particular attention. Exploitation needs no kernel modules, no special capabilities, and no network access, which makes it a clean post-exploitation step inside Kubernetes pods, Docker CI runners, and shared multi-tenant hosts. A foothold that used to be a nuisance now becomes a root shell.
Patches are available in kernel versions 6.18.22, 6.19.12, and 7.0. Practical priorities:
- Inventory kernel versions across hosts, containers, golden images, and self-managed cloud VMs. Running fleets and AMIs are separate problems.
- Patch and reboot, then verify the kernel version actually changed.
- Where patching lags, restrict local code execution paths: tighten container runtime policies, audit who can land jobs on CI runners, and review SSH access.
- Refresh base images so tomorrow's autoscaled nodes are not vulnerable replacements for today's fixed ones.
KEV is a triage signal, not a vulnerability encyclopedia. When something this trivially exploitable lands on the list with a working PoC already public, it is worth treating the deadline as your deadline too.
