"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope," Theori researchers warned after publishing a proof-of-concept exploit. The advisory, and the fast follow-up from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), turned a newly disclosed Linux kernel bug into an immediate, ordered remediation for federal systems.
CVE-2026-31431: the "Copy Fail" vulnerability in algif_aead
Researchers tracked the flaw as CVE-2026-31431 and dubbed it "Copy Fail." The bug resides in the Linux kernel's algif_aead cryptographic algorithm interface and enables an unprivileged local user to gain root privileges on an unpatched system. The exploitation technique requires writing four controlled bytes to the page cache of any readable file — a small, specific primitive that, according to Theori, is sufficient to escalate to full root access.
Theori's proof-of-concept and the claim of reliable, cross-distro exploitation
Theori published a Python-based proof-of-concept (PoC) the day before CISA's action. They described the exploit as "100% reliable" and demonstrated it against four named distributions: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. "Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution," Theori said, and they added that the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.
When Theori published their advisory, Tharros' principal vulnerability analyst Will Dormann noted there were no "official updates" from vendors at that moment, underlining the rapidity with which an exploit and proof-of-concept can force a patch-and-response cycle.
CISA adds Copy Fail to the Known Exploited Vulnerabilities Catalog and issues an order
On Friday following Theori's disclosure, CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch affected Linux endpoints and servers within two weeks — by May 15 — under Binding Operational Directive (BOD) 22-01. CISA said, "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
CISA also advised agencies to "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." While BOD 22-01 is limited to U.S. federal agencies, CISA urged all security teams to prioritize patches for CVE-2026-31431.
How Linux distributors and security teams responded
According to the reporting, major Linux distributions began pushing the fix via kernel updates shortly after the disclosure. That movement toward vendor-supplied kernel patches followed the public release of the exploit and the PoC. Theori's public demonstration and the cross-distribution reliability they reported appear to have driven both vendor patching and federal prioritization through CISA's KEV action.
What this means for FCEB agencies, distribution maintainers, and security teams
- FCEB agencies: CISA ordered patching by May 15 under BOD 22-01, making remediation mandatory within the federal civilian enterprise and requiring agencies to follow vendor mitigations or discontinue affected products if mitigations are unavailable.
- Linux distribution maintainers: Theori's assertion that the exploit works unmodified across multiple distributions increased urgency; major distributions began distributing kernel updates to block the CVE-2026-31431 exploit vector.
- Security operations teams: The vulnerability's exploitation path — an unprivileged local user writing four bytes to the page cache to gain root — and the public PoC make rapid detection and patch deployment priorities, per CISA's advisory that urged all security teams to secure networks as soon as possible.
The Copy Fail disclosure follows another recent kernel-impacting patch cycle: earlier last month, Linux distributions patched a separate high-severity local root privilege-escalation issue tracked as CVE-2026-41651 (Pack2TheRoot) in the PackageKit daemon, which had persisted for more than a decade. That sequence underscores how quickly successive, distinct privilege-escalation vulnerabilities can demand coordinated vendor, operator, and regulator action.
The facts in the record are straightforward: a small write primitive in the kernel's algif_aead interface, a PoC claimed to be reliably effective across mainstream distributions, and a formal federal order to patch by May 15. The combination of an asserted cross-distro exploit and CISA's KEV designation compresses the window for defenders: vendors pushed kernel updates, and federal agencies must now meet the two-week remediation requirement. Whether those steps will fully blunt exploitation in the wild will depend on how quickly patches are applied and mitigations are adopted where updates are not yet available.
Original reporting: CISA says ‘Copy Fail’ flaw now exploited to root Linux systems — BleepingComputer
