Threat actors exploit Copy Fail Linux kernel flaw for root shell access
Updated
Updated · SecurityWeek · May 4
Threat actors exploit Copy Fail Linux kernel flaw for root shell access
11 articles · Updated · SecurityWeek · May 4
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities list on Friday, ordering US federal agencies to patch within two weeks after the bug’s 29 April disclosure.
The flaw, present for nearly a decade and affecting Linux distributions since 2017, enables privilege escalation through the kernel’s authencesn AEAD template and can support container breakout and lateral movement.
Microsoft said exploitation seen so far is limited mainly to proof-of-concept testing, but warned a public exploit and the bug’s stealthy, cross-platform nature make cloud, CI/CD and Kubernetes environments especially exposed.
This Linux bug existed for nine years with minimal exploitation. Is the widespread alert an overreaction for a non-remote vulnerability?
Since the 'Copy Fail' exploit leaves no disk trace, how can organizations detect breaches in their cloud environments?
With AI now finding kernel bugs in hours, is the era of secure shared-kernel containers officially over?
"Unpatched Linux Kernel Flaw 'Copy Fail' Risks Root Access and Cloud Container Breakouts"
Overview
In 2017, a kernel developer introduced a logic flaw in the Linux kernel's cryptographic module, which remained unnoticed until March 2026 when the security firm Theori discovered it using AI-powered tools. After reporting the flaw, patches were committed and a CVE was assigned. Theori publicly disclosed the vulnerability with a reliable exploit, leading to confirmed active attacks within 24 hours. This flaw allows unprivileged users to escalate privileges and escape containers by corrupting the shared page cache, posing critical risks to cloud and multi-tenant environments. In response, organizations rapidly deployed patches, enforced kernel module blacklisting, and applied container runtime restrictions, while major cloud providers issued security advisories and detection tools to mitigate the threat.