CISA Confirms Active Exploitation of 'Copy Fail' Linux Kernel Flaw Allowing Unprivileged Root Access

CISA confirmed that CVE-2026-31431 ('Copy Fail'), a vulnerability in the Linux kernel's algif_aead cryptographic interface, is being actively exploited one day after Theori researchers disclosed a 100% reliable Python proof-of-concept. The flaw allows unprivileged local users to gain root by writing 4 controlled bytes to the page cache. The exploit works on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 1, with active exploitation confirmed May 4.