Ethical Hacking News
CISA Warns of Exploited Linux 'Copy Fail' Flaw, Urges Immediate Patching. A recently discovered Linux vulnerability has been found in the wild just one day after researchers disclosed it, prompting CISA to issue a warning and urge all organizations to patch their systems as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the "Copy Fail" Linux security vulnerability (CVE-2026-31431). This vulnerability allows unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes. The vulnerability affects various Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems within two weeks. The urgency around this vulnerability is amplified by the fact that attackers have started exploiting it in the wild.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an exploited Linux security vulnerability known as "Copy Fail" (CVE-2026-31431), which has been found in the wild one day after researchers disclosed it. This vulnerability, present in the Linux kernel's algif_aead cryptographic algorithm interface, allows unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file.
The "Copy Fail" flaw was discovered by Theori researchers and shared a proof-of-concept (PoC) exploit. This vulnerability can be used to gain root access on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices. Furthermore, the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks. The agency warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Tharros' principal vulnerability analyst, Will Dormann, noted on Thursday that there were no "official updates" when Theori published its advisory. This means that many Linux distros began pushing the fix via kernel updates after CISA added it to the KEV Catalog.
The urgency around this vulnerability is amplified by the fact that attackers have started exploiting it in the wild. CISA urged all security teams to secure their networks as soon as possible by prioritizing CVE-2026-31431 patches. While BOD 22-01 applies only to U.S. government agencies, CISA advised all organizations to take proactive steps to mitigate this vulnerability.
The incident serves as a reminder of the importance of patching and keeping systems up-to-date. It also highlights the value of collaboration among security professionals and researchers in identifying vulnerabilities and sharing information about potential threats.
In recent months, there have been other high-severity root-privilege escalation vulnerabilities that had persisted for more than a decade in the PackageKit daemon. One such example is CVE-2026-41651, which was dubbed "Pack2TheRoot". The fact that many Linux distros were able to patch this vulnerability before its widespread exploitation underscores the importance of staying vigilant and proactive when it comes to security.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Exploited-Linux-Copy-Fail-Flaw-Urges-Immediate-Patching-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems/
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://www.cvedetails.com/cve/CVE-2026-31431/
https://nvd.nist.gov/vuln/detail/CVE-2026-41651
https://www.cvedetails.com/cve/CVE-2026-41651/
Published: Mon May 4 07:11:54 2026 by llama3.2 3B Q4_K_M
