Linux "Copy Fail" Vulnerability Threatens Servers Worldwide. Three Days to the Deadline

Just 732 bytes of Python code. That alone is enough to let an unprivileged user seize administrator (root) privileges on nearly every Linux server in the world, including Ubuntu, Red Hat, and Amazon Linux. That is the new vulnerability now public.

CVE-2026-31431, known as "Copy Fail." It is a bug in the cryptographic subsystem at the heart of the Linux kernel, and it affects essentially every Linux system shipped since 2017. The exposure cuts directly into cloud providers and container operators. On May 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian agencies to patch by May 15, 2026. As of today (May 12), three days remain.

According to Microsoft's report, exploitation attempts are already being observed. For almost any organization running Linux, this is a "act this week or risk it" situation.

What kind of vulnerability is Copy Fail

Copy Fail is a bug in the component of the Linux kernel that handles cryptographic operations.

A short explanation. Linux relies heavily on internal crypto operations for disk encryption (dm-crypt), IPsec traffic, and more. To enable that, the kernel exposes interfaces so applications can call cryptographic primitives, one of which is a socket-style interface called "AF_ALG." Think of the socket here as a communication channel from a program into kernel features.

The problem lives in an "in-place optimization" added to the crypto code in 2017. Normally the "source data" and "destination buffer" for a crypto operation must be different regions of memory, but for efficiency this optimization deliberately reuses the same memory for both. Combine that with the splice() system call (which moves portions of files between buffers), and an attacker can produce a controlled four-byte write into the kernel's in-memory cache of any readable file.

Four bytes does not sound like much, but it is plenty. Linux has setuid binaries like su and sudo that automatically run with root privileges. Tweaking the in-memory image of one of those binaries by just four bytes is enough to let an attacker execute arbitrary code as root.

What makes this nastier: the file on disk is never modified. The change only happens in the in-memory page cache. Standard forensic checks see the file as unmodified, which means the attack leaves few obvious traces.

Technical writeups are available from security firm Xint, Palo Alto Networks Unit 42, and Tenable.

Why every distribution is hit at once

Normally, Linux distributions, Ubuntu, Red Hat, Debian, SUSE, fork off into endless branches. The reason Copy Fail is described as "all distributions falling simultaneously" is that the bug lives inside the Linux kernel itself.

The Linux kernel is the core OS software. Ubuntu, Red Hat Enterprise Linux, Amazon Linux—they all wrap their own bodywork around the same engine (the Linux kernel). If the engine cracks, it doesn't matter which body you bolted on.

Production servers, home servers, Kubernetes clusters, AWS EC2 instances, IoT devices, parts of Android—as we reported when desktop Linux finally crossed the 5% mark, Linux deployments keep growing every year. Copy Fail puts essentially all of them in range.

Unit 42 estimates "millions of systems" exposed. Microsoft puts it as "millions of Kubernetes clusters in scope."

A lineage of bugs that take every distribution down together

This is not the first time the Linux kernel has shipped a privilege escalation bug that hits every major distribution at once. Similar-shaped bugs come around periodically, and lining them up helps situate Copy Fail.

PwnKit (2022, CVE-2021-4034): a flaw in polkit's SUID binary. Every major distribution that shipped polkit allowed root.

Dirty Pipe (2022, CVE-2022-0847): pipe_buffer flag initialization missing. Hit every Linux kernel 5.8 and later, including Android phones.

Looney Tunables (2023, CVE-2023-4911): a buffer overflow in the dynamic linker of glibc, the standard C library. Direct hit on Fedora, Ubuntu, Debian, and other majors.

Copy Fail (2026, CVE-2026-31431): this bug.

Each of those four bugs sits in a different place: polkit's SUID binary, the kernel's pipe machinery, glibc's linker, and now the kernel crypto subsystem. The technical surface is entirely different each time, yet from an operator's perspective the impact is identical: "if you run Linux, nearly every server is exposed to root takeover." The response—patch fast, hunt for attackers, narrow the blast radius in the cloud—takes the same shape every time.

A bug of this type lands every two or three years. Copy Fail is the latest entry in that lineage. The decision framework in this article should still apply when the next one arrives.

What operators should do: a four-layer defense framework

Let's organize "what to get done by tomorrow." This is not a vulnerability you can shut off with a single switch, so we work through four layers.

Layer 1: Patch (highest priority)

On Ubuntu, the following picks up the fixed kernel package (Ubuntu's official announcement):

sudo apt update && sudo apt upgrade
sudo reboot

Red Hat, Amazon Linux, and SUSE have each shipped patches. Check each distribution's official advisory for vendor-specific patch information.

Layer 2: Interim mitigation if you cannot reboot immediately

Disabling the algif_aead kernel module closes the path the attack uses. Ubuntu ships a dedicated kmod package that disables it. Doing it manually, create the following file:

blacklist algif_aead
install algif_aead /bin/true

Caveat: in environments that rely heavily on crypto—disk encryption, IPsec VPNs—check dependencies before applying. Rolling this out cold in production may break adjacent services.

Layer 3: Reduce what unprivileged users can do

Cut off the precondition: "an unprivileged user can call kernel crypto." Depending on the server's role:

• Disable unprivileged user namespaces: sysctl kernel.unprivileged_userns_clone=0
• Restrict AF_ALG socket creation and keyctl via seccomp profiles for containers
• Limit which binaries can call socket(AF_ALG, ...) via AppArmor / SELinux

Layer 4: Monitor for "pre" and "post"

Unit 42 recommends two detection patterns:

• A non-root user launching su from a parent process that is not the normally expected one
• curl downloading something followed immediately by su (the typical pattern in the public PoC)

eBPF-based solutions (eBPF is an in-kernel observability and policy mechanism) can alert on the combined invocation of socket(AF_ALG, ...) and splice(). Microsoft Defender has already added Copy Fail-related activity to its detection set. If your organization runs EDR, confirm the signature update.

Why the impact widens in clouds and containers

There is a second reason Copy Fail is frightening: it bites into the way clouds and containers are built.

Container tech like Docker and Kubernetes run many containers sharing the host's Linux kernel. If an unprivileged user inside a container uses Copy Fail, the chain works like this:

1. Gain root inside the container (still confined to the container)
2. Because the kernel is shared with the host, write into the host's page cache
3. Corrupt a privileged binary on the host and escape the container into the host OS

That is a "container breakout." Microsoft describes "millions of Kubernetes clusters in scope."

On the cloud side, multi-tenant environments where multiple customers' workloads ride the same host face a real risk of lateral movement to neighboring tenants. Patching only runC or other container runtimes is not enough; the host kernel update is mandatory.

As we reported last month, seven Japanese manufacturers disclosed ransomware incidents in March alone. Attackers always need "the next tool after gaining initial access." After landing through an event like the cascading supply-chain compromise of Trivy, Copy Fail offers exactly that next step.

Discovery and disclosure timeline

Some context on public records. The original discoverer is Taeyang Lee of Korean security firm Theori, who identified the initial attack surface while studying the Linux kernel's crypto subsystem. The Xint Code Research Team extended that finding using AI-assisted analysis and identified Copy Fail—the most severe outcome—within about an hour.

The timeline:

• March 23, 2026: initial report to the Linux kernel security team
• April 1, 2026: patches committed to mainline
• April 29, 2026: Xint publishes the vulnerability
• May 1, 2026: CISA adds to KEV; federal civilian agencies must patch by May 15
• May 12, 2026 (today): three days remain to the KEV deadline; Microsoft Defender observes "pre-exploitation testing activity"

The kernel maintainers responded within 24 hours and committed fixes in nine days, a very fast turnaround. Two weeks have passed since public disclosure, the PoC is public, and the attacker side has had plenty of time to prepare.

Three days left: what server operators should do

Three days remain until the May 15 KEV deadline. Federal agencies are not the only ones who should treat it that way—if you run Linux servers, the same urgency applies.

The priority: first, inventory which Ubuntu / Red Hat / Amazon Linux / SUSE / Debian / Fedora versions you have in scope. Then split servers into "patch right now" and "depends on other services, patch carefully." For the latter, buying time with the algif_aead disable is reasonable. For Kubernetes clusters, host-kernel updates are mandatory; plan the rolling update today.

Vulnerabilities like Copy Fail do not magically disappear after May 15. Servers that remain unpatched—IoT devices, aging on-prem boxes, internal servers whose owners are gone—will stay in attackers' sights for years. As we previously analyzed with Hello Work's core system that has become "untouchable," the same structure sits inside many private-sector systems too.

When the next "every-distro privilege escalation" bug arrives, reuse the four-layer framework from this article—patch / module disable / reduce unprivileged user power / step up monitoring. The runbook you build for Copy Fail should still work for the next PwnKit-class issue.

References

• ▸ Microsoft Security Blog - CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments (May 1, 2026)
• ▸ Palo Alto Networks Unit 42 - Copy Fail: What You Need to Know
• ▸ Xint - Copy Fail: 732 Bytes to Root on Every Major Linux Distribution (April 29, 2026)
• ▸ Tenable - Copy Fail (CVE-2026-31431): FAQ
• ▸ Ubuntu Blog - Fixes available for CVE-2026-31431 (Copy Fail)
• ▸ CISA - Known Exploited Vulnerabilities Catalog
• ▸ CERT-EU - High Vulnerability in the Linux Kernel ("Copy Fail")
• ▸ NVD - CVE-2026-31431