Fifteen years. One bug. Now actively exploited.
A flaw in the Linux kernel has spent up to fifteen years hiding in plain sight, and attackers have caught up. CVE-2026-31431, nicknamed "Copy Fail" by the research community (a reference to the three independent kernel commits from 2011, 2015, and 2017 whose interaction makes the bug look like a copy operation gone wrong across all three), allows any unprivileged local user to gain root. The CVSS score sits at 7.8. That rating reflects the local-only access requirement, but in shared hosting, multi-tenant container platforms, or any system reached through a prior foothold, that requirement is rarely the obstacle it sounds. That number understates the danger.
The bug lives in the kernel's authentication cryptographic template, specifically the AF_ALG subsystem and the algif_aead module. Researchers from Theori and Xint traced its origins to three separate kernel changes made in 2011, 2015, and 2017. Each change was reasonable on its own. Together, they interact in ways the original authors did not anticipate.
What Copy Fail actually does
Most privilege escalation bugs are noisy. They drop binaries, modify configuration files, or otherwise leave evidence on disk that a forensic investigator can find later. Copy Fail does none of that.
The exploit corrupts the kernel's in-memory page cache of readable files. That includes setuid binaries, which are exactly the kind of high-value targets an attacker wants to subvert because they execute with elevated permissions. By tampering with the cached copy of a setuid binary in memory, the attacker injects code that the kernel will run at execution time. The file on disk is untouched. Checksum it, hash it, compare it against a known-good golden image, and everything looks fine.
Then the binary runs, and the attacker has root.
This is why the technique is so awkward to defend against. Standard file integrity monitoring tools watch disk state. They do not watch memory. A setuid binary that appears identical to its packaged version can still be a vehicle for arbitrary code execution if the page cache has been poisoned. Catching this at runtime requires kernel-level memory monitoring, which most organisations do not deploy across their server estate.
Why a 7.8 understates the risk
The CVSS 7.8 score reflects the fact that this is a local-only flaw. There is no remote attack path without a prior foothold. An attacker on the public internet cannot reach into a server and trigger Copy Fail directly. They need access to the box first.
That sounds reassuring. It often is not. If you want a primer on how CVE scoring works, the gap between a base score and real-world impact is exactly the kind of thing the headline number cannot capture.
Shared hosting providers run thousands of customer accounts on the same kernel. Multi-tenant container platforms place workloads from different organisations on shared hosts. Any system that has already been partly compromised, perhaps through a web application bug or a phished credential, presents an attacker with exactly the kind of unprivileged local access this exploit needs. In those environments, the effective risk is much higher than a 7.8 suggests. The score measures the first step. The damage happens after.
SecurityWeek's analysis makes the same point. Local access is not a high bar in real-world breach chains. It is frequently the second move in a longer sequence, and Copy Fail turns that second move into full root.
The patch picture
The Linux kernel team has released fixes in versions 6.18.22, 6.19.12, and 7.0. Every Linux distribution shipped since 2017 is affected in some form, which is to say almost every production server, container image, and embedded device running a modern kernel.
Distribution maintainers are backporting the fixes to their supported releases. Administrators should check their distribution's security tracker for the specific package version that contains the patch, because the upstream kernel version alone is not always a reliable indicator of what a vendor has shipped.
The United States Cybersecurity and Infrastructure Security Agency has added the CVE to its Known Exploited Vulnerabilities catalogue. Federal Civilian Executive Branch agencies have been ordered to patch by 15 May 2026. CISA does not add bugs to the KEV catalogue speculatively. The agency confirmed evidence of active exploitation, and the Microsoft Defender Security Research Team has reported preliminary testing activity suggesting that broader threat actor exploitation is imminent.
What administrators should do this week
Patch first. Everything else is secondary. If your kernel version predates 6.18.22, 6.19.12, or 7.0, or your distribution has not yet pushed a backported fix, that system is a candidate for Copy Fail. When triaging the rest of your backlog, lean on guidance about which CVEs actually get exploited, because a KEV listing with confirmed in-the-wild activity sits at the top of that pile.
After patching, review your attack surface with this specific class of bug in mind. Anywhere an unprivileged user can run code on a host, the risk applies. Shared hosting, CI runners, jump boxes, developer workstations with sudo access, container hosts. The list is longer than most security teams care to admit.
Reconsider detection. Disk-based file integrity monitoring will not see Copy Fail. Build runtime detection that can catch suspicious setuid execution patterns, unexpected kernel module behaviour, or unusual page cache activity. The indicators of compromise for this attack are subtle and short-lived, which makes proactive instrumentation matter more than retrospective log review.
Finally, treat any system that you cannot patch quickly as already at risk. Limit who can obtain local access. Audit your container escape paths. Assume that the attacker already has the local foothold this exploit needs, and design your controls accordingly.
A fifteen-year-old logic flaw, three innocent commits, and one very clever piece of research. That is the story of Copy Fail. The fix is available. The exploitation is happening now.
Frequently asked questions
Does CVE-2026-31431 require network access to exploit?
The attacker just needs a foothold on the box, not a route through the firewall. Copy Fail is a local privilege escalation flaw and an attacker must already have unprivileged code execution on the target system. The vulnerability lives in the AF_ALG subsystem and the algif_aead module, both of which are reached through local syscalls rather than any network-facing service. The catch is that local access is cheap in modern environments: shared hosting accounts, CI runners, multi-tenant container hosts, and any box where a web application bug or a phished credential has already landed all qualify. Treat the local-only label as a description of the first step, not as a reason to deprioritise patching, and assume that for internet-facing systems an attacker is one ordinary web bug away from the conditions Copy Fail needs.
Can file integrity monitoring detect exploitation?
No, standard file integrity monitoring will not catch Copy Fail. The exploit corrupts the kernel's in-memory page cache of setuid binaries, so the file on disk is never modified and any checksum or hash comparison against a golden image will come back clean. To see this technique at runtime you need kernel-level memory monitoring that can spot suspicious setuid execution patterns, unexpected kernel module behaviour, or unusual page cache activity. Pair that instrumentation with strict controls on who can obtain unprivileged local access in the first place, because the indicators of compromise here are subtle and short-lived and will not survive into next morning's log review.
Which kernel versions contain the fix?
The upstream patches landed in kernel versions 6.18.22, 6.19.12, and 7.0. Anything older is potentially vulnerable, and because every Linux distribution shipped since 2017 is affected in some form, that covers almost every production server, container image, and embedded device in the field. Distribution maintainers are backporting the fixes to their supported releases, so the correct check is your distribution's security tracker for the specific package version, not the raw upstream kernel number reported by uname. Federal Civilian Executive Branch agencies in the US have been ordered to patch by 15 May 2026 under the CISA KEV listing, which is a reasonable deadline for everyone else to treat as a ceiling rather than a floor.
