Critical Linux flaw "CopyFail" is being actively exploited — federal agencies have until May 15 to patch

By: Anton Kratiuk | 05.05.2026, 03:00
Critical Linux flaw "CopyFail" is being actively exploited — federal agencies have until May 15 to patch

A critical Linux kernel vulnerability called CopyFail is under active exploitation, and US federal agencies have a hard deadline of May 15 to apply fixes. The flaw affects the vast majority of Linux systems built since 2017 — including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, and SUSE — and gives an attacker full root control over a compromised machine. For anyone running Linux servers, cloud workloads, or containerized infrastructure, this one demands immediate attention.

The flaw

Tracked as CVE-2026-31431, CopyFail lives in a kernel component called `algif_aead`, part of the Linux cryptography API. A logic error in how the module handles data copying lets an unprivileged local user escalate to root with a 732-byte exploit — small enough to be trivially portable across distributions. Researchers at Theori confirmed the vulnerability on RHEL 10.1, Ubuntu 24.04 LTS, Amazon Linux 2023, SUSE 16, Debian, Fedora, and Kubernetes environments. The CVSS severity score is 7.8 (high).

The upstream kernel fix was committed on April 1, 2026. Vendor patches are rolling out, but adoption is uneven — meaning a large portion of production systems remain exposed right now.

The container risk

The attack goes beyond a single machine. In shared cloud environments — AWS, Azure, GCP — CopyFail can break container isolation entirely. The kernel's shared page cache lets a malicious container escape to the host and potentially compromise neighboring workloads in multi-tenant setups. The Microsoft Defender Report details the container-escape chain and offers detection guidance for enterprise teams.

Kubernetes nodes and CI/CD pipeline runners are at particularly high risk because they typically share kernel resources across multiple workloads.

The deadline

CISA added CopyFail to its CISA KEV Catalog on May 1, confirming active exploitation in the wild. Under Binding Operational Directive 22-01, all federal civilian agencies must remediate by May 15, 2026. Private-sector organizations aren't bound by that directive, but the KEV listing is a reliable signal that the threat is real and already being weaponized.

The fix is straightforward: apply the latest kernel update from your distro's vendor. If patches aren't yet available for your distribution, CERT-EU recommends prioritizing Kubernetes nodes and CI/CD runners for interim mitigation steps while you wait. Check your vendor's security advisory page — most major distros have either shipped or are days away from shipping the updated kernel packages.

Cybersecurity Linux
Latest news
Latest reviews
Latest articles
Latest Discussions