top of page
perceptive_background_267k.jpg

CISA says ‘Copy Fail’ flaw now exploited to root Linux systems

Published:

4 mei 2026 om 11:28:15

Alert date:

4 mei 2026 om 12:00:45

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities

CISA has warned that threat actors are actively exploiting the 'Copy Fail' Linux security vulnerability in the wild. The exploitation began just one day after Theori researchers disclosed the vulnerability and shared a proof-of-concept exploit. This flaw allows attackers to gain root access on Linux systems, making it a critical security concern. The rapid transition from disclosure to active exploitation highlights the urgency for system administrators to apply patches immediately.

Technical details

The Copy Fail vulnerability is found in the Linux kernel's algif_aead cryptographic algorithm interface. It enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file. Theori researchers developed a 100% reliable Python-based exploit that works unmodified across all Linux distributions with kernels built between 2017 and the patch release.

Mitigation steps:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal Civilian Executive Branch agencies must patch their Linux endpoints and servers by May 15 as mandated by BOD 22-01. All security teams should prioritize CVE-2026-31431 patches to secure their networks as soon as possible.

Affected products:

Ubuntu 24.04 LTS
Amazon Linux 2023
RHEL 10.1
SUSE 16
Linux distributions with kernels built between 2017 and patch release
PackageKit daemon (for CVE-2026-41651)

Related links:

https://security-tracker.debian.org/tracker/CVE-2026-31431
https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/
https://copy.fail/
https://infosec.exchange/@wdormann/116493725294723695
https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-32202&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
https://www.cisa.gov/binding-operational-directive-22-01
https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/
https://nvd.nist.gov/vuln/detail/CVE-2026-41651

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page