CISA adds Linux CVE to KEV

Linux admins just got a very clear signal from CISA — treat “Copy Fail” like an actively exploited incident, not a theoretical bug. On May 1, CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog, which is the U.S. government’s short list of flaws that are already being used in the wild. For federal civilian agencies, that means a remediation deadline of May 15. For everyone else, it’s the same message without the mandate: move this up the queue now. (cisa.gov) ### What is “Copy Fail”? Copy Fail is a Linux kernel local privilege-escalation bug. The vulnerable code sits in `algif_aead`, part of the kernel’s userspace crypto API, and the issue traces back to a 2017 optimization. In plain English, a low-privilege user can abuse the kernel’s handling of certain cryp(cisa.gov)ot access. (nvd.nist.gov) ### Why is a local bug such a big deal? Because “local” does not mean harmless. It means the attacker needs some foothold first — a shell on a box, code execution inside a container, access through a CI runner, or a low-privilege account on a shared system. Once that foothold exists, Copy Fail can become the second-stage move that turns limited access int(nvd.nist.gov)nodes and CI/CD runners for priority attention. (cert.europa.eu) ### How does the exploit work? The public writeups describe a chain using AF_ALG socket operations together with `splice`. The result is a controlled 4-byte write to an arbitrary page-cache-backed page. Researchers showed that this can target a setuid binary like `/usr/bin/su` and end in a root shell. The scary part is not just the bug(cert.europa.eu)ttackers who are good at post-compromise escalation but not kernel research. (cert.europa.eu) ### Which systems are in scope? Broadly, Linux systems running kernels built in the affected window since 2017. CERT-EU said every mainstream Linux distribution shipping an affected kernel is exposed, and listed verified examples including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. The same advisory said other distribut(cert.europa.eu)em, not a niche distro problem. (cert.europa.eu) ### Is there a patch? Yes upstream — but rollout is the catch. NVD shows the fix as a revert in `algif_aead`, and CERT-EU said the mainline fix was committed on April 1, 2026. But vendor packages were still lagging when the bug went public, which is why defenders have been talking about temporary mitigations instead of “just patch it” simplicity. (nvd.nist.gov) ### What should defenders do right now? First, patch as soon as your distro ships a fixed kernel. If you do not have a vendor fix yet, disable the vulnerable `algif_aead` path where possible as an interim mitigation. CISA’s KEV entry also explicitly tells organizations to follow applicable BOD 22-01 cloud guidance if they are running affected services in cl(nvd.nist.gov)ry — it is also a blast-radius story. Least-privilege IAM, MFA, segmentation, centralized logging, and tight workload isolation all matter more when privilege escalation is on the table. (cisa.gov) ### Why did KEV inclusion change the temperature? Because KEV is CISA’s way of saying the debate is over. The flaw is not merely severe. It is being exploited. Once a Linux kernel bug lands there, security teams stop arguing about whether it is “practical” and start asking which hosts, which images, which runners, and which maintenance windows can move first. That is the real shift this week. (cisa.gov) ### Bottom line? Copy Fail is the kind of bug that turns a small compromise into a root compromise. CISA putting CVE-2026-31431 in KEV means the window for treating it as tomorrow’s patch job is basically gone. (cisa.gov)