The cybersecurity community is on high alert after reports surfaced that threat actors are actively exploiting the 'Copy Fail' Linux security vulnerability, just a day after its disclosure by **Theori** researchers. The urgency stems from the potential for unprivileged local users to gain root privileges on affected systems. ## CVE-2026-31431: The 'Copy Fail' Vulnerability Tracked as **CVE-2026-31431**, this security flaw resides within the Linux kernel's algif_aead cryptographic algorithm interface. The vulnerability allows local users to escalate privileges by writing four controlled bytes to the page cache of any readable file. This grants them root access on unpatched Linux systems. ## Proof-of-Concept Exploit Released **Theori** researchers publicly disclosed the vulnerability and released a proof-of-concept (PoC) exploit written in Python. According to the researchers, the exploit is highly reliable, achieving "100% reliable" root access on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16** devices. Furthermore, **Theori** asserts that the same exploit script can be used against almost any Linux distribution released since 2017 with a vulnerable kernel version. "Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution," **Theori** stated. "If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope." ## Patching Efforts and Initial Delays While major Linux distributions have begun issuing kernel updates to address the vulnerability, **Will Dormann**, principal vulnerability analyst at Tharros, noted that official updates were not available at the time of **Theori's** advisory.  *Getting root shell on four Linux distros (Theori)* ## CISA's Directive and Recommendations On Friday, **CISA** added the 'Copy Fail' vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. This action mandates that Federal Civilian Executive Branch (FCEB) agencies patch their Linux endpoints and servers by May 15, as stipulated by Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned. **CISA** urged agencies to "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." While BOD 22-01 specifically targets U.S. government agencies, **CISA** strongly advises all security teams to prioritize patching **CVE-2026-31431** to secure their networks. ## Recent History of Linux Kernel Vulnerabilities This incident follows closely on the heels of another high-severity root-privilege escalation vulnerability, **CVE-2026-41651** (dubbed Pack2TheRoot), which was patched by Linux distributions last month. This vulnerability had persisted for over a decade in the PackageKit daemon. [](https://hubs.li/Q04crVgD0)