Copy Fail: Active CVE-2026-31431 in Linux requires immediate parking

The U.S. agency CISA has confirmed that malicious actors are already exploiting in real environments the failure known as Copy Fail (CVE-2026-31431), just a day after Theori researchers published vulnerability and shared a concept test explosion. This speed - public disclosure followed by active exploitation - makes vulnerability an immediate priority for security teams and system managers.

Copy Fail affects cryptographic interface algif _ aead the Linux kernel and allows an unprivileged local user to climb to root privileges by writing only four controlled bytes on the page cache of any legible file. The explosion published by Theori works without modification in several modern distributions and, according to its tests, is reliable in kernel built from 2017 to the patch, which puts a large part of the servers and endpoints at risk. The vulnerability monitoring in the Debian repository is available at security-tracker.debian.org and the dissemination of Theori in copy.fail.

The official response has accelerated: CISA added the failure to Known Exploited Vulnerabilities (KEV) Catalog and ordered U.S. federal agencies to apply patches within two weeks according to the KEV policy and the binding directive BOD 22-01. Although this mandate only applies to the federal sector, CISA and the security community recommend that all organizations prioritize this correction because of the real possibility of obtaining shells root on exposed servers or with malicious local users.

To mitigate the risk immediately, update the kernel and the packages of its distribution following the instructions of the supplier; perform test deployments and, where feasible, restart the systems so that the changes in the kernel can take effect. If the patch cannot be applied immediately, reduce the attack surface by limiting local access: review accounts, remove unnecessary access, and implement enforcement and integrity control policies. It is also recommended to enable or strengthen control mechanisms such as SELinux / AppArmor and to record in detail privilege elevations and suspicious local connections.

Detecting prior or active exploitation requires looking for abnormal activity indicators: unexpected processes with UID 0, interactive shells initiated by non-administrative accounts, new binaries in / tmp or / var, and kernel records related to cryptographic subsystems or page errors. Historical audit of sudo, auth.log and dmesg, and have prepared containment procedures that include isolation of committed hosts, forensic analysis and restoration from reliable images if an intrusion is confirmed.

This incident again shows the speed with which a public PoC can be transformed into a real exploitation campaign and the need for an agile parking cycle. Organizations with sensitive deployments or multi-user environments should treat CVE-2026-31431 correction as top priority and also review recent lessons, such as prior correction of privilege climbing vulnerabilities in Linux (e.g., CVE-2026-41651), to improve internal vulnerability management processes and response times.

In short, act now: identify systems with vulnerable kernel, apply patches and reboot as recommended by your supplier, temporarily reduce local access and monitor commitment signals. Exposure is widespread and exploitation is taking place; postponing intervention increases the risk of serious incidents and root-level commitments.