Linux Kernel 'Copy Fail' Vulnerability CVE-2026-31431 Added to CISA KEV Catalog With Active Exploitation

CISA added CVE-2026-31431 — dubbed 'Copy Fail' — to its Known Exploited Vulnerabilities catalog on May 1, 2026, giving federal agencies until May 15 to remediate. The flaw is a local privilege escalation in the Linux kernel's AF_ALG (asynchronous crypto) socket interface that allows an unprivileged user to perform a controlled 4-byte write to kernel page cache pages, enabling root access. The vulnerability originates from an optimization introduced in 2017 (commit 72548b093ee3) and affects every major Linux distribution shipping a kernel built since then — spanning nearly a decade of deployments. A public proof-of-concept exploit is available. Microsoft Defender reports preliminary testing activity suggesting increased exploitation in the wild. The upstream fix has been committed to mainline (commit a664bf3d603d) but no major distribution has shipped updated kernel packages as of the disclosure date. CVSS score is 7.8. Administrators should prioritize patching Kubernetes nodes and CI/CD runners exposed to untrusted workloads.