Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the Linux Kernel to its Known Exploited Vulnerabilities (KEV) catalog, dubbed "Copy Fail". This bug enables an unprivileged local user to write four controlled bytes into the page cache of any readable file, leading to a root escalation attack on major distributions. System administrators must take immediate action to address this vulnerability and apply relevant patches to prevent exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the Linux Kernel to its Known Exploited Vulnerabilities (KEV) catalog.The identified vulnerability, CVE-2026-31431, is dubbed "Copy Fail" due to its unique characteristics.The bug enables a root escalation attack on major distributions such as Ubuntu, RHEL, SUSE, and Amazon Linux.The vulnerability can cross container boundaries due to shared page cache, making it particularly concerning for organizations that rely heavily on containers.The Copy Fail vulnerability is attributed to a logic flaw in the Linux Kernel's authencesn cryptographic template.The discovery of this vulnerability highlights the need for system administrators to stay vigilant about known vulnerabilities and take prompt action to address them.CISA has ordered federal agencies to fix the vulnerability by May 15, 2026, emphasizing the urgency of this situation.
The cybersecurity landscape has witnessed numerous vulnerabilities in recent times, but one recent discovery stands out for its severity and potential impact. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the Linux Kernel to its Known Exploited Vulnerabilities (KEV) catalog, which signals a significant concern for system administrators and users of the popular operating system.
The identified vulnerability, tracked as CVE-2026-31431, is dubbed "Copy Fail" due to its unique characteristics. This bug combines AF_ALG and splice() functions in the Linux Kernel, allowing an unprivileged local user to write four controlled bytes into the page cache of any readable file. The implications of this exploit are far-reaching, as it enables a root escalation attack on major distributions such as Ubuntu, RHEL, SUSE, and Amazon Linux. Moreover, the bug can even cross container boundaries due to shared page cache, making it particularly concerning for organizations that rely heavily on containers for their applications.
The Copy Fail vulnerability is attributed to a logic flaw in the Linux Kernel's authencesn cryptographic template, which allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file. The attack relies on the kernel logic flaw where corrupted page cache data is never marked dirty, leaving disk files unchanged while the in-memory version is silently altered. This results in an attacker being able to corrupt a setuid binary's cached page and gain root access.
The researchers who discovered this vulnerability used AI-assisted analysis of crypto-subsystem behavior to identify the issue. According to them, Copy Fail exploits the AF_ALG function, which allows any user to access the kernel crypto subsystem without privileges. The exploit uses splice() to map file page cache pages directly into a crypto scatterlist, so operations act on real file-backed memory. During AEAD decryption, the kernel sets the operation in-place, mixing user buffers with page cache pages in one writable structure.
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary. In this setup, that write lands directly in the page cache of a chosen file. Attackers control the file, offset, and value, enabling precise memory corruption and privilege escalation. The exploit targets /usr/bin/su, a common setuid-root binary on Linux systems.
The discovery of Copy Fail highlights the need for system administrators to stay vigilant about known vulnerabilities and take prompt action to address them. In this case, the vulnerability affects kernel versions 6.12 to 6.18 across major distributions. It is essential to apply the relevant patches and updates as soon as possible to prevent exploitation.
Experts recommend that private organizations review their infrastructure and address the vulnerabilities in a timely manner to protect against attacks exploiting the flaws in the catalog. CISA has ordered federal agencies to fix the vulnerability by May 15, 2026, emphasizing the urgency of this situation.
In conclusion, the Copy Fail vulnerability serves as a stark reminder of the importance of maintaining up-to-date systems and being proactive about security patches. The Linux community and users must stay informed about known vulnerabilities and take necessary steps to protect their systems from exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Linux-Kernel-Exposed-A-Wake-Up-Call-for-System-Administrators-ehn.shtml
https://securityaffairs.com/191629/hacking/u-s-cisa-adds-a-flaw-in-linux-kernel-to-its-known-exploited-vulnerabilities-catalog.html
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://www.cvedetails.com/cve/CVE-2026-31431/
Published: Mon May 4 07:51:17 2026 by llama3.2 3B Q4_K_M
