CISA has added an actively exploited Linux kernel privilege escalation vulnerability to its Known Exploited Vulnerabilities catalog, warning that the flaw tracked as CVE-2026-31431 allows any unprivileged local user to gain root access using a 732-byte Python script. Nicknamed Copy Fail, the vulnerability carries a CVSS score of 7.8 and affects every mainstream Linux distribution shipping kernels built since 2017.

The flaw was discovered by researcher Taeyang Lee at Korean security firm Theori using their AI-assisted code analysis tool Xint Code, which flagged it as the highest-severity finding after scanning the entire Linux crypto subsystem. Unlike memory corruption bugs that rely on race conditions or timing windows, Copy Fail is a deterministic logic flaw in the AF_ALG cryptographic interface that is 100 percent reliable with no retry loops needed.

The vulnerability resides in the algif_aead kernel module where the authencesn cryptographic template writes four scratch bytes at a fixed offset during decryption. A 2017 optimization that chains page cache pages directly into the output scatterlist via splice allows those bytes to be written into the page cache of any readable file, bypassing normal permission enforcement. An attacker can corrupt the in-memory representation of a privileged binary such as /usr/bin/su to yield root access without modifying the on-disk file.

Microsoft security researchers stated the vulnerability impacts a significant portion of cloud Linux workloads and millions of Kubernetes clusters. Container escape is possible because containers share the host kernel. Weaponized proof-of-concept exploits in Python, C, Go, and Rust are already circulating on GitHub, with the original 732-byte Python exploit requiring no compilation or version-specific offsets.

Patches are now available from all major distributions including Ubuntu, Red Hat, SUSE, Amazon Linux, and Debian. CISA has mandated federal agencies remediate by May 15, 2026. Red Hat issued advisory RHSB-2026-02 rating the flaw as important, while CloudLinux has begun rolling out live patches requiring no reboot.

Organizations that cannot immediately patch should disable or blacklist the algif_aead kernel module as a temporary mitigation. Security teams should prioritize patching all internet-facing servers, Kubernetes nodes, and CI/CD runners, and conduct threat hunts for indicators of exploitation given the trivial attack complexity.