CISA adds CopyFail Linux bug

Linux has a new bug that looks smaller than it is. “Copy Fail,” tracked as CVE-2026-31431, is not a remote break-in by itself. But once an attacker has any l(cisa.gov) May 1 — not because the score is off the charts, but because people are already using it. (cisa.gov) Fail? It is a local privilege escalation flaw in the Linux kernel’s `algif_aead` component, part of the AF_ALG userspace crypto interface. The bug sits in logi(ubuntu.com)VD lists the issue at CVSS 7.8, and Ubuntu calls it a high-severity kernel LPE. (nvd.nist.gov) ### Why does a local bug matter so much? Because “local” does not mean “rare.” A local foothold can be a compromised app account, a shell on a developer box, a malicious package in CI, or code running inside a container. In tho(cisa.gov)here on the box — then Copy Fail can do the privilege jump. Ubuntu explicitly warns about root escalation on hosts and possible container-escape scenarios in containerized deployments. (ubuntu.com) ### What does the bug actually do? The ugly part is that it can tamper (nvd.nist.gov)ging the file on disk. Openwall’s disclosure says each request can overwrite 4 attacker-chosen bytes at a spliced file offset, and repeated requests can patch more offsets. That means a read-only or setuid binary can be altered in memory long enough to help an attacker escalate privileges. Think of it like changing the copy of a document everyone is currently reading on the table, while the original in the filing cabinet stays untouched. (openwall.com) ### Why is t(ubuntu.com) If the on-disk file never changed, file integrity tools looking only at storage may see nothing wrong. The malicious change lives in page cache and can disappear after reboot or memory pressure. That makes incident response messier — the machine can look clean after the fact even if the exploit worked. (openwall.com) ### Which systems are exposed? A lot of mainstream Linux systems. Ubuntu says all releases before 26.04 Resolute are affected, though some older branches are only vulnerable on specific kernel versi(openwall.com)n root and that fixes are being rolled out. Public writeups describe the vulnerable logic as present since 2017, which is why the blast radius is broad across distributions. (ubuntu.com) ### Why did CISA step in now? Timing. Public disclosure landed on April 29. CISA added the bug to the KEV catalog on May 1, which means there (openwall.com)iority. For federal civilian agencies, KEV status comes with a remediation deadline under BOD 22-01. For everyone else, it is still the government’s clearest signal that this is not a “patch next month” issue. (cisa.gov) ### What should teams do first? Patch the kernel as soon as vendor fixes are available. If you cannot patch immediately, (ubuntu.com)es the affected module, and Red Hat says configuration changes can reduce exposure. The catch is that disabling the module may affect hardware-accelerated crypto workflows, so teams need to test before broad rollout. (ubuntu.com) ### Bottom line Copy Fail is the kind of Linux bug that changes the risk of every “already contained” compromise. If an attacker ca(cisa.gov)ers expect. (cisa.gov)