Exploitation of ‘Copy Fail’ Linux Vulnerability Begins
Exploitation of ‘Copy Fail’ Linux Vulnerability Begins
https://www.securityweek.com/exploitation-of-copy-fail-linux-vulnerability-begins/
Publish Date: 2026-05-04 06:42:00
Source Domain: www.securityweek.com
Threat actors are exploiting a recently disclosed Linux kernel vulnerability leading to root shell access, the US cybersecurity agency CISA warns.
Tracked as CVE-2026-31431 and dubbed Copy Fail, the security defect lurked for almost a decade, impacting all Linux distributions since 2017.
Affecting the kernel’s authencesn AEAD template, the bug allows authenticated attackers with code execution privileges to modify the cache page of readable setuid-root binaries to elevate privileges to root.
Copy Fail was disclosed on April 29, and CISA added it to its Known Exploited Vulnerabilities (KEV) catalog on Friday, urging federal agencies to patch it within two weeks.
While CISA has not shared details on the observed exploitation, Microsoft said on Friday that it has observed only limited in-the-wild exploitation, mainly surrounding proof-of-concept (PoC) testing.
On the other hand, the tech giant warns that, despite the minimal current activity targeting it, CVE-2026-31431 has broad applicability, and a working PoC exploit has been released, which should raise concern among defenders.
“Successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments,” Microsoft notes.
“Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments where untrusted code execution is common,” the company says.
Copy Fail, Microsoft warns, can be exploited by any local, unprivileged user, and can be chained with Secure Shell (SSH) access, malicious CI jobs, or access to containers to achieve root shell access.
An attack chain would begin with reconnaissance to identify a container running a vulnerable kernel and continue with the…
