CISA adds Linux kernel 'Copy Fail' privilege escalation flaw to KEV catalog with active exploitation confirmed

CISA added CVE-2026-31431, dubbed 'Copy Fail,' to its Known Exploited Vulnerabilities catalog on May 1, 2026, giving federal agencies a May 15 remediation deadline. The flaw is a local privilege escalation in the Linux kernel's algif_aead module (AF_ALG socket interface) with a CVSS score of 7.8. An unprivileged local user can gain root via a deterministic 732-byte Python exploit that performs a controlled 4-byte write into the kernel page cache by chaining an AF_ALG socket operation with splice(). The exploit works from unprivileged containers without root, kernel modules, or network access, making it critical for multi-tenant cloud environments. All major Linux distributions shipped since 2017 are affected, including RHEL, Rocky, AlmaLinux, Debian, Ubuntu, and SUSE. Microsoft Defender reports preliminary testing activity suggesting imminent wider exploitation. The interim mitigation is to blacklist the algif_aead kernel module.