CISA Warns: Linux Kernel 0-Day Vulner Vulnerability Exploited

A critical Linux kernel zero-day vulnerability has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. CISA is warning federal agencies and organizations worldwide to patch immediately or discontinue use of affected systems.

Tracked as CVE-2026-31431 and dubbed “Copy Fail”, the flaw carries a CVSS score of 7.8 (High) and is classified under CWE-699 (Incorrect Resource Transfer Between Spheres).

The vulnerability resides in the algif_aead module of the Linux kernel’s AF_ALG cryptographic subsystem specifically, a logic bug in the authentication cryptographic template that causes improper memory handling during in-place operations.

What makes this flaw particularly alarming is its exploitability: a 732-byte Python script is all an unprivileged local user needs to reliably escalate privileges to root.

Nine-Year-Old Bug Hiding in Plain Sight

Despite being disclosed publicly on April 29, 2026, the vulnerability has roots stretching back nearly a decade.

It was introduced through three separate, individually harmless changes made to the Linux kernel in 2011, 2015, and 2017, none of which raised red flags independently.

The flaw affects every major Linux distribution running kernels built since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE 16, Debian, Fedora, and Arch Linux.

The attack chain exploits the interaction between the AF_ALG socket interface, the splice() system call, and improper error handling during a failed copy operation.

This results in a controlled 4-byte overwrite in the kernel page cache, allowing an attacker to corrupt setuid binaries and other sensitive kernel-managed data entirely within kernel space, bypassing traditional user-space protections.

Critically, exploitation requires no root privileges inside containers, no kernel modules, and no network access, making it a powerful post-exploitation tool in containerized environments, including Kubernetes clusters and Docker CI runners.

CISA added CVE-2026-31431 to its KEV catalog on May 1, 2026, with a mandatory remediation deadline of May 15, 2026, for all federal civilian agencies. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

Organizations running Red Hat Enterprise Linux can apply configuration-level mitigations while patches are deployed.

CISA directs all organizations to apply vendor-issued mitigations immediately, follow BOD 22-01 guidance for cloud services, or discontinue use of unpatched systems.

Security teams are strongly urged to audit Linux kernel versions across cloud workloads, container environments, and on-premises infrastructure without delay, as active exploitation in the wild has already been confirmed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.