Linux kernel flaw enables root privilege escalation
Updated
Updated · Microsoft · May 1
Linux kernel flaw enables root privilege escalation
14 articles · Updated · Microsoft · May 1
Tracked as CVE-2026-31431 or Copy Fail, it affects kernels released since 2017 across Ubuntu, Red Hat, SUSE, Amazon Linux, Debian, Fedora and Arch.
Microsoft said a working proof-of-concept exists, preliminary testing is under way, and CISA has added the bug to its Known Exploited Vulnerabilities catalogue.
The CVSS 7.8 flaw can let unprivileged users gain root, potentially enabling container escape, multi-tenant compromise and lateral movement, prompting urgent patching or AF_ALG blocking.
With major Linux versions still unpatched, are millions of cloud servers sitting ducks for the 'Copy Fail' root exploit?
This exploit allows container escape. Is the shared-kernel model now obsolete for secure multi-tenant cloud environments?
An AI found this 'worst kernel bug in years' in one hour. Has an AI-fueled cyber arms race just begun?
Copy Fail (CVE-2026-31431): A Critical Linux Kernel Privilege Escalation Exploit with 732-Byte Payload and Container Escape Risk
Overview
In late March 2026, Theori discovered the critical Copy Fail vulnerability in the Linux kernel using AI-assisted tools and responsibly notified the kernel team, which promptly issued a patch on April 1. However, a month-long gap before public disclosure on April 29 left many systems unpatched, exposing widespread Linux infrastructure to a severe local privilege escalation flaw. The vulnerability exploits a logic error in the cryptographic module to stealthily overwrite memory, enabling attackers to gain root access and escape container isolation. Despite available patches, uneven deployment and detection challenges have made urgent mitigation essential, highlighting the need for faster updates, improved disclosure coordination, and stronger container security.