Exposes Linux Copy Fail

Linux has a new privilege-escalation mess, and the reason people are paying attention is simple: this one looks unusually easy to use. “Copy Fail,” tracked as CVE-2026-31431, lets an unprivileged local user become root on a wide range of Linux systems. Microsoft said on May 1 that working exploitation is already happening in the wild, and CISA put the bug on its Known Exploited Vulnerabilities list the same day. (microsoft.com) ### What is Copy Fail? It’s a local privilege-escalation flaw in the Linux kernel, not a remote internet bug by itself. That means an attacker usually needs some foothold first — a shell on a box, code execution insid(microsoft.com) “full system takeover.” Microsoft, CERT-EU, and Ubuntu all describe it as affecting major Linux distributions. (microsoft.com) ### Why is this one different? Most Linux local root bugs are fussy. They need a race condition, kernel-version-specific offsets, or lucky timing. Copy Fail stands out because researchers describe it as deterministic (microsoft.com)ss many systems. That reliability is what makes defenders nervous. (copy.fail) ### Where does the bug live? The flaw sits in the kernel’s `algif_aead` path — part of the crypto interface used for authenticated encryption operations. Ubuntu’s advisory says the vulnerable component is a kernel module that provides hardware-accelerated cryptographic functions, and CERT-EU says the issue was publicly disclosed on April(copy.fail)ce back to code introduced in August 2017, which is why so many distributions inherited it. (ubuntu.com) ### How does root actually happen? The short version is that the bug gives an attacker a controlled write into the page cache for readable files. That sounds abstract, but basically the page cache is Linux’s in-memory copy of file contents. If you can corrupt the cached version without touchi(ubuntu.com) poisoned data. Several writeups say that primitive can be turned into root access and can also cross container boundaries under the right conditions. (cybersecsentinel.com) ### Why are containers part of the story? Because containers share the host kernel. If a bug lives in the kernel, isolation gets a lot weaker than people assume. Microsoft explicitly called out risk across cloud environments and Kubernetes(cybersecsentinel.com)— it matters anywhere low-privilege code runs next to more valuable workloads. (microsoft.com) ### What changed this week? Two things. First, public disclosure landed on April 29, and patch guidance started rolling out from major vendors right after. Second, the U.S. government treated it as actively exploited (microsoft.com)” to “patch now.” (cert.europa.eu) ### So what should admins do? Patch the kernel packages your distro has released, then reboot into the fixed kernel — just installing updates is not enough if the old kernel is still running. Prioritize multi-user systems, internet-facing hosts with any post-exploit path to local code e(cert.europa.eu) reduce local shell access and watch for suspicious privilege-escalation behavior, but the catch is that mitigations are weaker than just getting onto a fixed kernel. (ubuntu.com) ### Bottom line? Copy Fail is “just” a local Linux bug, but that undersells it. In modern cloud setups, local access is often the first thing an attacker gets — and root on the shared kernel is the real prize. This one has been sitting in Linux since 2017, it already has public exploit code, and CISA is treating it as actively exploited. That is patch-now territory. (microsoft.com)