Nvidia · Amazon · Tom's Hardware
CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed Linux vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities catalog on May 1st, warning that the flaw, tracked as CVE-2026-31431, is already being used in active attacks and urging rapid patching across affected systems.
Key facts
- According to the team, the exploit is “100% reliable” and functions without modification across multiple major Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE
- Get Tom's Hardware's best news and in-depth reviews, straight to your inbox
- The vulnerability resides in the Linux kernel‘s “algif_aead” cryptographic interface and allows unprivileged local users to escalate privileges to root
- Security researchers at Theori disclosed the flaw publicly last week, releasing a working proof-of-concept exploit alongside their findings
Summary
The U.S. The vulnerability resides in the Linux kernel‘s “algif_aead” cryptographic interface and allows unprivileged local users to escalate privileges to root. Security researchers at Theori disclosed the flaw publicly last week, releasing a working proof-of-concept exploit alongside their findings. At a technical level, the bug enables attackers to write controlled data into the kernel‘s page cache, a low-level memory structure, ultimately allowing privilege escalation. Compounding the risk, a discussion on the Openwall oss-security mailing list suggests that the vulnerability and the working exploit were publicly disclosed without prior coordination with Linux distribution maintainers.