INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

U.S. CISA Adds Linux Kernel Flaw to Catalog

| 2026-05-04 10:26 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent incident data reveals a critical vulnerability in the Linux kernel, dubbed Copy Fail. This flaw affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, allowing attackers to exploit it by editing setuid binaries on essentially all Linux systems since 2017. The researchers behind this exploit published a demo showing that even normal users can gain root access with just a single 732-byte Python script. This demonstrates the potential for widespread compromise if the vulnerability is not addressed in time.
Technical Mitigations AI-generated
* Implement a secure file system: Ensure that all files on the system have proper permissions, and use a secure file system like XFS or Btrfs to prevent unauthorized access. * Use secure coding practices: Follow best practices for secure coding such as input validation, error handling, and memory management to prevent exploitation of this vulnerability. * Regularly update and patch Linux distributions: Keep all major Linux distributions up-to-date with the latest security patches to ensure that any known vulnerabilities are addressed before they can be exploited. * Implement a robust access control mechanism: Ensure that users have only necessary permissions for their accounts, and use a secure authentication mechanism like Kerberos or LDAP to prevent unauthorized access. * Monitor system logs and detect suspicious activity: Regularly monitor system logs and detect any unusual activity that may indicate the presence of this vulnerability.
Technical Observables
xint.io
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-31431CVE-2026-31431
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎between 2017
Threat actors exploited a zero-day Linux kernel flaw in mainstream Linux distributions built between 2017 and the patch.
infrastructure Linux
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.”
‎March 23
Threat actors exploited a previously unknown zero-day Linux kernel flaw reported by an AI-driven security researcher on March 23.
infrastructure Linux
He reported the vulnerability to the Linux kernel security team on March 23, who started working on a patch over the next few days.
‎April 22
Xint.io publicly disclosed the CVE-2026-31431 Linux kernel flaw on April 29.
infrastructure Linux
The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.
organisation CVE-2026-31431
The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.
organisation Xint.io
The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.
‎2026/05/04
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Linux Kernel to its Known Exploited Vulnerabilities catalog due to AI-driven research by Xint Code researchers, who discovered CVE-2026-31431, dubbed Copy Fail.
infrastructure Linux
U.S. CISA adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Linux Kernel, tracked as CVE-2026-31431 (CVSS score of 7.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time.
Recently, Xint Code researchers warned of a serious Linux flaw, tracked as  CVE-2026-31431 , dubbed Copy Fail.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“ Copy Fail  (CVE-2026- 31431 ) is a logic bug in the Linux kernel’s authencesn cryptographic template.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The exploit targets  /usr/bin/su , a common setuid-root binary on Linux systems.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Nine-Year-Old Zero-Day Flaw in Linux Kernel Discovered by AI-Equipped Security Researcher.
A new high-security zero-day vulnerability that has lurked in the Linux kernel since 2017 has just been found with the help of AI.
Copy Fail: An Old Linux Kernel Vulnerability Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template.
Exploiting this vulnerability can allow an attacker to gain root access to the Linux kernel of a machine for all Linux distributions shipped since 2017.
Most major Linux distributions, such as Debian, Ubuntu, SUSE and Red Hat now provide this fix.
Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug.
With a hunch, and an hour of AI-assisted scanning, cybersecurity researchers identified and then figured out how to exploit a nine-year-old root escalation vulnerability affecting every Linux build since 2017.
It allows any local user to escalate root by leveraging a logic flaw in the Linux kernel's cryptography system.
Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption.
Related: AI Finds 38 Security Flaws in Electronic Health Record Platform The Risks in Copy Fail CVE-2026-31431 works equally across all Linux distributions .
organisation Kubernetes
It works across major distros and architectures and forms the basis for both local privilege escalation and Kubernetes container escapes.
"Through various mechanisms like that, you can achieve local privilege escalation, manipulating sensitive configurations of applications running on the system." Most worrying of all, he adds, "It's very common for people to use Kubernetes clusters to deploy their applications.
The vulnerability poses a risk to multi-user shared systems, container clusters (Kubernetes, Docker, etc.), and similar environments.
organisation CVE-2026-31431
Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time.
organisation LPE
Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time.
infrastructure Windows
Related: Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation "AI is changing the vulnerability research landscape significantly.
organisation Windows Enables Privilege Escalation
Related: Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation "AI is changing the vulnerability research landscape significantly.
organisation SUSE
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
Most major Linux distributions, such as Debian, Ubuntu, SUSE and Red Hat now provide this fix.
organisation Amazon Linux
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
organisation Copy Fail
“ Copy Fail  (CVE-2026- 31431 ) is a logic bug in the Linux kernel’s authencesn cryptographic template.
Copy Fail: An Old Linux Kernel Vulnerability Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template.
Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption.
data_breach 732 byte
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult.
organisation /usr/bin/su
The exploit targets  /usr/bin/su , a common setuid-root binary on Linux systems.
infrastructure 24.04
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 10.1
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 6.12
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 6.18
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
organisation Ubuntu 24.04 LTS
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
organisation Amazon Linux 2023
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
organisation AI-Equipped Security
Nine-Year-Old Zero-Day Flaw in Linux Kernel Discovered by AI-Equipped Security Researcher.
organisation AI-Assisted
Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug.
organisation Security Flaws in Electronic Health
Related: AI Finds 38 Security Flaws in Electronic Health Record Platform The Risks in Copy Fail CVE-2026-31431 works equally across all Linux distributions .
organisation Xint
The vulnerability, which researchers at Xint are calling " Copy Fail ," has officially been given the designation CVE-2026-31431.
organisation page‑cache
“ Copy Fail exploits a kernel logic flaw where corrupted page‑cache data is never marked dirty, leaving disk files unchanged while the in‑memory version is silently altered.
organisation crypto‑subsystem
The bug, surfaced through AI‑assisted analysis of crypto‑subsystem behavior, is portable, tiny, race‑free, and stealthy, unlike  Dirty Cow  or  Dirty Pipe .
organisation Next
Next, the attacker prepares each 4-byte write.
data_breach 4 byte
Next, the attacker prepares each 4-byte write.
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file.
It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.”
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary.
The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary.
organisation AAD
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
organisation HMAC
The HMAC fails, but the corrupted memory remains.
organisation execve("/usr/bin/su
Finally, the attacker runs  execve("/usr/bin/su") .
organisation API
The kernel crypto API ( AF_ALG ) ships enabled in essentially every mainstream distro’s default config, so the entire 2017 → patch window is in play out of the box.”
organisation Theori’s AI
This nine-year-old flaw, dubbed ‘ Copy Fail’ , was discovered by Taeyang Lee, a vulnerability researcher at offensive security firm Theori Lee openly disclosed he used Xint Code, a source code analyzing tool part of Theori’s AI-driven penetration testing platform, Xint.io, to discover the vulnerability.
organisation CVSS
The vulnerability has been attributed a high-severity rating (CVSS) of 7.8.
organisation Theori
Theori has published a proof-of-concept (PoC) exploit so defenders can verify their own systems and validate vendor patches.
organisation PoC
Theori has published a proof-of-concept (PoC) exploit so defenders can verify their own systems and validate vendor patches.
Not so — Xint's public proof-of-concept (PoC) exploit code on GitHub runs only 10 lines long.
organisation GitHub
Not so — Xint's public proof-of-concept (PoC) exploit code on GitHub runs only 10 lines long.
organisation Authenticated Encryption with Associated Data
It reverts the optimization for Authenticated Encryption with Associated Data (AEAD) operations that was added in 2017.
organisation CI
"Another really scary application is continuous integration (CI) runners" — agents or machines that programmatically perform tasks in a software development pipeline.
organisation Becker
" Related: Vidar Rises to Top of Chaotic Infostealer Market AI-Driven Vulnerability Research, in Practice While world leaders, business executives, and Internet conspirators decry the Claude Mythos -induced end of the world, researchers like Becker are quietly already doing the AI-driven vulnerability research everyone's worried about, demonstrating how that work might actually look for the foreseeable future.
organisation Postgres
"We've had a ton of success using our [internal AI] tool on various databases like Postgres, Redis, MariaDB, where we literally just drop the code in, don't provide any human insight, and we get out an exploitable bug that has been there in some cases for over 20 years.
organisation Copy File
From his perspective, though, an issue so subtle and so dangerous as Copy File wouldn't likely have been unearthed by AI alone.
‎May 15, 2026
Threat actors exploited a previously unknown zero-day Linux kernel vulnerability.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
U.S. CISA adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Linux Kernel, tracked as CVE-2026-31431 (CVSS score of 7.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
Recently, Xint Code researchers warned of a serious Linux flaw, tracked as  CVE-2026-31431 , dubbed Copy Fail.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“ Copy Fail  (CVE-2026- 31431 ) is a logic bug in the Linux kernel’s authencesn cryptographic template.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The exploit targets  /usr/bin/su , a common setuid-root binary on Linux systems.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.”
Nine-Year-Old Zero-Day Flaw in Linux Kernel Discovered by AI-Equipped Security Researcher.
A new high-security zero-day vulnerability that has lurked in the Linux kernel since 2017 has just been found with the help of AI.
He reported the vulnerability to the Linux kernel security team on March 23, who started working on a patch over the next few days.
The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.
Copy Fail: An Old Linux Kernel Vulnerability Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template.
Exploiting this vulnerability can allow an attacker to gain root access to the Linux kernel of a machine for all Linux distributions shipped since 2017.
Most major Linux distributions, such as Debian, Ubuntu, SUSE and Red Hat now provide this fix.
Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time.
Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug.
With a hunch, and an hour of AI-assisted scanning, cybersecurity researchers identified and then figured out how to exploit a nine-year-old root escalation vulnerability affecting every Linux build since 2017.
It allows any local user to escalate root by leveraging a logic flaw in the Linux kernel's cryptography system.
Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption.
Related: AI Finds 38 Security Flaws in Electronic Health Record Platform The Risks in Copy Fail CVE-2026-31431 works equally across all Linux distributions .
Metrics
data_breach
732
Byte
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult.
Metrics
infrastructure
‎24.04
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎10.1
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎6.12
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎6.18
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
data_breach
4
Byte
Next, the attacker prepares each 4-byte write.
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file.
It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.”
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary.
The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary.
Metrics
infrastructure
‎Windows
Affected Product
Related: Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation "AI is changing the vulnerability research landscape significantly.
Intelligence Sources
Infosecurity-Magazine 2026-05-01
Dark Reading 2026-04-30
Security Affairs 2026-05-04