CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros — unpatched systems may remain vulnerable to attack
Publish Date: 2026-05-04 10:36:00
Source Domain: www.tomshardware.com
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed Linux vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities catalog on May 1st, warning that the flaw, tracked as CVE-2026-31431, is already being used in active attacks and urging rapid patching across affected systems.
Tom’s Hardware Premium Roadmaps
(Image credit: Future)
Security researchers at Theori disclosed the flaw publicly last week, releasing a working proof-of-concept exploit alongside their findings. According to the team, the exploit is “100% reliable” and functions without modification across multiple major Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. That level of portability is unusual and lowers the barrier for attackers seeking to weaponize the bug.
Article continues below
You may like
At a technical level, the bug enables attackers to write controlled data into the kernel‘s page cache, a low-level memory structure, ultimately allowing privilege escalation. While the exploit requires local access, it still allows attackers to break out of standard user restrictions and gain full control of the system.
Compounding the risk, a discussion on the Openwall oss-security mailing list suggests that the vulnerability and the working exploit were publicly disclosed without prior coordination with Linux distribution maintainers. In typical responsible disclosure processes, vendors are given advance notice to prepare and distribute patches before technical details are made public.
In this case, however, maintainers indicated that no such heads-up was provided, leaving some distributions…
