Overview
- CISA placed CVE-2026-31431, known as Copy Fail, in its Known Exploited Vulnerabilities catalog after confirming active abuse in the wild.
- Fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0, and U.S. federal civilian agencies are directed to patch by May 15.
- The flaw is a local privilege escalation in the kernel’s crypto auth template that lets an unprivileged user flip four bytes in the page cache of any readable file, including setuid binaries, to gain root.
- A 732-byte Python proof-of-concept is public with Go and Rust ports, and Microsoft reports attacker testing, though exploitation still requires an initial foothold such as SSH access, a malicious CI job, or a compromised container.
- Container and cloud hosts face heightened risk because many runtimes expose the AF_ALG crypto socket by default, so teams are disabling the affected feature and tightening isolation until systems are updated.