CISA flags actively exploited Linux kernel flaw, warns of server risk
CISA says CopyFail is already being used in attacks, putting Linux servers, cloud workloads and Kubernetes clusters at risk of root access.
Linux servers running widely used distributions are now in the blast zone for an actively exploited kernel flaw that can hand an attacker full root access from a local account. CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities Catalog on May 1, citing evidence of active exploitation and warning that the bug poses a major risk to servers and datacenters that rely on Linux.
The agency described the issue as a Linux kernel vulnerability that can allow privilege escalation, and said federal civilian executive branch agencies must remediate KEV-listed flaws by the due date under Binding Operational Directive 22-01. CISA also pressed private organizations to move quickly because the catalog is a living list of vulnerabilities known to pose significant risk. In practical terms, that puts hospitals, banks, cloud providers and government networks on notice, especially where Linux hosts shared infrastructure or sensitive workloads.
Microsoft’s Defender Security Research Team said the flaw affects multiple major Linux distributions, including Red Hat, SUSE, Ubuntu and AWS Linux, and said it could affect a significant portion of cloud Linux workloads and millions of Kubernetes clusters. Microsoft said exploitation had been limited at first and mostly seen in proof-of-concept testing, but warned that the availability of a working exploit could drive more threat-actor activity in the next few days.
Security researchers traced CopyFail to a logic bug in the Linux kernel’s cryptographic subsystem, in the algif_aead module. The issue was introduced in an August 2017 commit, which means kernels released since then may be exposed. Researchers said a 732-byte Python exploit can let an unprivileged local user write four controlled bytes into the page cache of any readable file and then obtain root. Because the page cache is shared across processes, the flaw raises the stakes in cloud and container environments, where one compromised workload can spill into others.
The reporting timeline moved fast. Theori researcher Taeyang Lee reportedly reported the issue to the Linux kernel security team on March 23, a mainline patch was committed on April 1, the CVE was assigned on April 22, and public disclosure followed on April 29. Ubuntu said fixes were available on April 30, and other distributions issued advisories.
Administrators should treat this as a priority patching event on every affected Linux host, especially internet-facing servers, cloud instances and Kubernetes nodes. Systems that show unusual local privilege escalation, unexpected root-level activity or signs of container breakout deserve immediate review, because CopyFail’s page-cache abuse can turn a low-privilege foothold into full control of a machine and, in shared environments, much more.
Know something we missed? Have a correction or additional information?
Submit a Tip
