The Cybersecurity and Infrastructure Security Agency (CISA) on May 1 added the “Copy Fail” bug to its Known Exploited Vulnerabilities (KEV) catalog.Security pros were concerned about CVE-2026-31431 when it was first reported last week because a single 732-byte Python script could obtain root privileges on essentially all Linux distributions shipped since 2017.“With its addition to the KEV catalog, Copy Fail should be considered a ‘patch right now’ situation because the public exploit is reliable and works on almost all active Linux systems,” said David Brumley, chief AI and science officer at Bugcrowd. Ryan McCurdy, vice president at Liquibase, said teams should consider Copy Fail a “patch-right-now” issue because it gives an attacker a fast path from local access to root across Linux systems many organizations rely on every day.“CISA adding it to KEV tells us this is no longer theoretical,” said McCurdy. “What makes this one dangerous is the combination of broad reach and reliable exploitation across mainstream distributions. In environments like CI runners, container hosts, and shared Linux infrastructure, a single foothold can become full compromise very quickly.”James Wickett, chief executive officer of DryRun Security, said it’s a big deal because there’s working exploit code and active use: it gives attackers a reliable path from low-privileged access to root on widely deployed Linux systems.“It’s hard to think of places where Linux isn’t running, and modern environments are full of places where code gets processed or executed by design, whether that’s CI/CD pipelines, build systems, dev tools, or even some web backends,” said Wickett. “If an attacker can run code within a container on a vulnerable host, this flaw can be used to gain root on the underlying node, effectively breaking the container boundary and exposing the host and other workloads. We’ve gotten comfortable treating containers as isolation, but they all depend on the same kernel, so when that layer fails, the blast radius expands quickly from a single process to the entire system.”
Chris Yule, senior director of threat intelligence at Sophos, pointed out that Copy Fail runs as a local privilege escalation (LPE) vulnerability, which means an attacker already needs authenticated access to the target system before they can exploit it.“The risk is that someone with limited access could potentially elevate their privileges and take control of a system they are already able to log into,” said Yule. “That makes it important to patch, particularly on systems that are routinely accessed by untrusted or lower-privileged users. But this is not a ‘sky is falling’ scenario where every exposed system suddenly becomes vulnerable to anyone on the internet."Damon Small, a board member at Xcape, Inc., said the real danger isn’t just that Copy Fail grants root access — it’s the stealth and stability of the mechanism. Small explained that most kernel exploits involve "spraying" memory or winning high-speed race conditions that can crash the server if they fail.“Copy Fail is deterministic,” said Small. “By abusing the algif_aead crypto module, an attacker can trick the kernel into writing four controlled bytes directly into the page cache — the system's shared memory for files.”So by targeting a privileged binary like /usr/bin/su or /usr/bin/sudo in memory, Small said an attacker can "flip the switch" on authentication logic. Because this happens entirely in RAM, Small said the physical file on the disk remains unchanged, effectively blinding traditional file-integrity monitoring (FIM) and checksum-based defenses.Small outlined three reasons why this is a “patch right now” situation:“Organizations should prioritize patching public-facing servers, CI/CD runners, and multi-tenant cloud nodes immediately,” said Small. “If a reboot is not feasible during business hours, the algif_aead module should be disabled via modprobe -r as a stopgap measure to kill the primary attack vector.”
Chris Yule, senior director of threat intelligence at Sophos, pointed out that Copy Fail runs as a local privilege escalation (LPE) vulnerability, which means an attacker already needs authenticated access to the target system before they can exploit it.“The risk is that someone with limited access could potentially elevate their privileges and take control of a system they are already able to log into,” said Yule. “That makes it important to patch, particularly on systems that are routinely accessed by untrusted or lower-privileged users. But this is not a ‘sky is falling’ scenario where every exposed system suddenly becomes vulnerable to anyone on the internet."Damon Small, a board member at Xcape, Inc., said the real danger isn’t just that Copy Fail grants root access — it’s the stealth and stability of the mechanism. Small explained that most kernel exploits involve "spraying" memory or winning high-speed race conditions that can crash the server if they fail.“Copy Fail is deterministic,” said Small. “By abusing the algif_aead crypto module, an attacker can trick the kernel into writing four controlled bytes directly into the page cache — the system's shared memory for files.”So by targeting a privileged binary like /usr/bin/su or /usr/bin/sudo in memory, Small said an attacker can "flip the switch" on authentication logic. Because this happens entirely in RAM, Small said the physical file on the disk remains unchanged, effectively blinding traditional file-integrity monitoring (FIM) and checksum-based defenses.Small outlined three reasons why this is a “patch right now” situation:
- The container escape primitive: In a Kubernetes or Docker environment, the kernel gets shared. A single compromised container can use this flaw to "poison" the host's page cache, granting the attacker root access to the underlying physical node and, by extension, every other container running on that machine.
- Invisible to detection: Because the exploit leaves the physical disk untouched and requires no complex "ROP chains" or memory grooming, standard EDR tools often fail to flag the activity until the attacker has already achieved root persistence.
- Broad applicability: This isn't a niche bug. It affects virtually every mainstream Linux distribution shipped since 2017 (Ubuntu, Amazon Linux 2023, RHEL, and SUSE). If a system hasn't been patched in the last 72 hours, it’s likely vulnerable.
