{"id":242633,"date":"2026-05-04T07:28:00","date_gmt":"2026-05-04T11:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/"},"modified":"2026-05-09T19:15:57","modified_gmt":"2026-05-09T23:15:57","slug":"cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/04\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/","title":{"rendered":"CISA says \u2018Copy Fail\u2019 flaw now exploited to root Linux systems"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/\">CISA says \u2018Copy Fail\u2019 flaw now exploited to root Linux systems<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-04 07:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>CISA has warned that threat actors have started exploiting the\u00a0&#8220;Copy Fail&#8221; Linux security vulnerability in the wild, one day after\u00a0Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit.<\/p>\n<p>Tracked as\u00a0CVE-2026-31431, this security flaw was found in the Linux kernel&#8217;s algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file.<\/p>\n<p>Theori researchers disclosed it on Thursday\u00a0and shared what they described as a\u00a0&#8220;100% reliable&#8221; Python-based exploit that can be used to root\u00a0Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.<\/p>\n<p>However, they also added that the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.<\/p>\n<p>&#8220;Same script, four distributions, four root shells \u2014 in one take. The same exploit binary works unmodified on every Linux distribution,&#8221;\u00a0Theori said. &#8220;If your kernel was built between 2017 and the patch \u2014 which covers essentially every mainstream Linux distribution \u2014 you&#8217;re in scope.&#8221;<\/p>\n<p>While\u00a0major Linux distros\u00a0began pushing the fix via kernel updates, Tharros&#8217;\u00a0principal vulnerability analyst, Will Dormann,\u00a0noted on Thursday\u00a0that there were no &#8220;official updates&#8221; when Theori published its\u00a0advisory.<\/p>\n<p><img decoding=\"async\" alt=\"Getting root shell on four Linux distros\" height=\"497\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/rootshell.png\" width=\"664\"\/>Getting root shell on four Linux distros (Theori)<\/p>\n<p>On Friday, CISA\u00a0added\u00a0the Copy Fail security flaw to its\u00a0Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by\u00a0Binding Operational Directive (BOD) 22-01.<\/p>\n<p>&#8220;This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,&#8221; the U.S. cybersecurity agency warned.<\/p>\n<p>&#8220;Apply mitigations per vendor instructions, follow applicable BOD 22-01&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA says \u2018Copy Fail\u2019 flaw now exploited to root Linux systems https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems\/ Publish Date: 2026-05-04&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242634,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/10\/31\/Linux.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,89,71,57,79,27],"class_list":["post-242633","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-security","tag-ubuntu","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242633"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242633"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242633\/revisions"}],"predecessor-version":[{"id":242635,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242633\/revisions\/242635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242634"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}