The US Cybersecurity and Infrastructure Security Agency added CVE-2026-31431, a Linux kernel privilege-escalation flaw nicknamed "Copy Fail," to its Known Exploited Vulnerabilities catalog on 1 May 2026, giving Federal Civilian Executive Branch agencies until 15 May to patch every affected system. The vulnerability carries a CVSS score of 7.8 (high) and has been observed under active exploitation in the wild.

The exploit is small enough to fit in a tweet. According to the Cybersecurity News write-up that broke the technical details, "a 732-byte Python script is all an unprivileged local user needs to reliably escalate privileges to root." The flaw lives in the algif_aead module's authentication cryptographic template — used during in-place operations — and chains the AF_ALG socket interface with a splice() system call to achieve a controlled 4-byte kernel-page-cache overwrite that corrupts sensitive binaries.

Affected — essentially everything

The bug was introduced by three individually-harmless commits made to the kernel in 2011, 2015, and 2017. That means every major distribution shipped since 2017 is affected: Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE 16, Debian, Fedora, and Arch Linux. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

Containers and Kubernetes are the soft target

What makes Copy Fail especially dangerous is that the exploit "requires no root privileges inside containers, no kernel modules, and no network access." That combination is precisely the threat model containers were supposed to mitigate. In a multi-tenant Kubernetes cluster running on GKE, EKS, or AKS, a single compromised container can now escape its sandbox via a kernel-host attack path that bypasses every container-level hardening the orchestrator provides.

What to do today

If you run any production Linux host, the patch path is the only acceptable response. The kernel team has backports for the major LTS lines; cloud providers including AWS, GCP and Azure have rolled host-level patches into their managed-Kubernetes control planes — but customer-managed worker nodes and self-hosted Kubernetes clusters need operator action. CISA's federal deadline has passed but the urgency hasn't: a privileged-escalation primitive of this size will be added to commodity exploit kits within weeks, if it hasn't been already.

For anyone running self-hosted infrastructure on Exabytes, Linode, DigitalOcean, or smaller regional providers: ask whether kernel-level patching has been applied at the hypervisor host, and patch your VM kernels regardless. The provider patch closes the host-to-host risk; the VM patch closes the in-VM risk.

Sources and cross-checks: Primary: Cybersecurity News — CISA Warns of Linux "Copy Fail" 0-Day Vulnerability Exploited to Root Systems. Corroborated against: CISA Known Exploited Vulnerabilities Catalog and The Hacker News KEV reporting. CVE-2026-31431 catalog entry verified 18 May 2026.