The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel flaw known as “Copy Fail” to its Known Exploited Vulnerabilities (KEV) catalog.
This confirms that the issue, tracked as CVE-2026-31431, is already being actively exploited in the wild just one day after public disclosure.
CISA’s update places the vulnerability under the purview of Binding Operational Directive (BOD) 22-01, which mandates that federal civilian agencies remediate listed flaws within a defined timeframe. For CVE-2026-31431, CISA has set a remediation deadline of May 15, 2026. While the directive formally applies only to Federal Civilian Executive Branch (FCEB) agencies, the agency is urging all organizations to prioritize patching due to the high risk of exploitation.
The flaw was originally disclosed on April 30, 2026, by the Xint Code research team. Dubbed “Copy Fail,” the vulnerability stems from a logic error in the Linux kernel’s cryptographic subsystem, specifically in the authencesn module that handles AEAD (Authenticated Encryption with Associated Data) operations. By combining the AF_ALG socket interface with the splice() system call, attackers can trigger a controlled out-of-bounds write into the kernel’s page cache.
The Linux kernel serves as the foundational component of countless systems, including enterprise servers, cloud platforms, embedded devices, and containerized environments. Its crypto subsystem is widely enabled by default across major distributions such as Ubuntu, Red Hat Enterprise Linux, SUSE, and Amazon Linux.
What makes Copy Fail particularly dangerous is its reliability and portability. This bug allows attackers to use a compact 732-byte Python exploit that works consistently across multiple distributions without modification. The exploit targets readable setuid binaries, such as /usr/bin/su, altering their in-memory representation to execute arbitrary code with root privileges.
The root cause of the issue lies in how the kernel processes scatter-gather lists during cryptographic operations. An optimization introduced in 2017 enabled in-place data handling, inadvertently allowing normally read-only page cache memory to be included in writable buffers. This results in a four-byte out-of-bounds “scratch write” that can corrupt adjacent memory regions. When this corruption affects cached file data, attackers can manipulate executable behavior without modifying files on disk.
This in-memory-only manipulation also gives the exploit a stealth advantage. Because the underlying files remain unchanged, traditional file integrity monitoring tools may not detect the compromise. The malicious changes persist only in memory, disappearing after a reboot or cache eviction, but lasting long enough to execute privileged operations.
Although CISA has not confirmed whether the flaw is currently used in ransomware campaigns, its inclusion in the KEV catalog indicates verified exploitation activity. Historically, vulnerabilities added to KEV often become targets for widespread opportunistic attacks shortly after.
A patch addressing the issue was committed to the Linux kernel on April 1, 2026, which removes the flawed in-place optimization. Major Linux vendors have begun rolling out updates, but patch adoption timelines may vary across environments.
Leave a Reply