Copy Fail Is 732 Bytes to Root on Every Linux Kernel Shipped Since 2017. CISA's Federal Deadline Is Tomorrow. The AF_ALG Crypto Socket Is the Door.

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1. The federal civilian patch deadline is May 15. That is tomorrow.

The vulnerability has a name that does almost all the work: Copy Fail. The technical mechanic is a use-after-free style bug in the Linux kernel's AF_ALG cryptographic socket subsystem, specifically the algif_aead module that gives userspace processes access to the kernel's crypto API. An in-place optimization shipped in 2017 mishandles the error path when a splice() syscall fails partway through copying data. The page cache ends up holding a reference to memory the caller has already freed. From that primitive, an unprivileged local user walks to root.

The public proof-of-concept is 732 bytes of Python. Go and Rust ports have already shown up on open-source repositories. CVSS 7.8, attack vector local, privileges required none, user interaction none. Linux kernels released continuously from 2017 through April 2026 are affected. Patched mainline versions are 6.18.22, 6.19.12, and 7.0.

The distribution coverage is what makes this one a Tuesday-afternoon problem instead of a vendor-specific patch cycle. Ubuntu 24.04 LTS. Amazon Linux 2023. Red Hat Enterprise Linux 10.1. SUSE 16. Debian, Fedora, Arch. The bug is not in a third-party driver or a specific distribution's kernel patch series. It is in the mainline kernel that every major Linux distro inherits.

The reason this matters beyond a routine privilege escalation is the container surface. Docker, LXC, containerd, and Kubernetes all share the host kernel by design. The AF_ALG subsystem is reachable from inside a container in the default configuration. When the page cache that holds the leaked memory reference is shared across the host and every container on that host — which it is — exploitation in one container reaches across to compromise other containers and the host itself. The vulnerability is documented as enabling container escape and cross-container impact in the same exploitation primitive that gets you root locally.

Microsoft Defender XDR ships four signatures for this CVE family. Exploit:Linux/CopyFailExpDl.A catches the downloader behavior. Exploit:Python/CopyFail.A catches the original 732-byte Python implementation. Exploit:Linux/CVE-2026-31431.A is the specific CVE detection. Behavior:Linux/CVE-2026-31431 is the runtime behavior detection. If you run Defender for Endpoint on Linux, those are the labels you want surfaced in your alerts. If you do not, the behavioral indicator that matters is AF_ALG socket creation paired with splice() syscalls — both of which are extremely rare in normal application traffic. eBPF detections built around tracepoint:syscalls:sys_enter_socket filtered for AF_ALG (38) families plus a follow-on splice() are the cheapest custom signal.

Active exploitation evidence is what got this on the CISA KEV. Specific threat actor attribution is not public yet. The Microsoft analysis flags preliminary testing activity in the wild, which historically reads as the lead indicator for mass exploitation showing up within days. The 732-byte size of the PoC is significant — it is small enough to embed in almost any first-stage payload. Initial-access tooling that already gets shell on a Linux box will fold this in as a near-free upgrade to root.

We have zero prior coverage of this CVE across the DugganUSA archive. That is honest. The vulnerability landed publicly on May 1 from Microsoft Threat Intelligence research and a coordinated disclosure with the kernel maintainers. We are publishing this writeup now because the federal patch deadline is tomorrow and the container blast radius is large enough that customers running any flavor of Linux in production need to know about it before the weekend.

What to do this afternoon. Check your kernel version with uname -r across every host and node pool. If you are below 6.18.22, 6.19.12, or 7.0, you are exposed. Patch the kernel and reboot, which on a Kubernetes cluster means a controlled node-by-node cycle. If a reboot window is not available before the weekend, the partial mitigation is to disable AF_ALG via blacklisting the algif_aead module — most production workloads do not use userspace crypto API access at all, so the operational impact of disabling it tends to be zero, but verify against your stack before you commit. seccomp profiles that deny socket(AF_ALG) inside containers also shut the door from the container side. Pod security policies and AppArmor profiles that restrict syscall access give you a defense-in-depth layer if you cannot patch the host kernel fast enough.

The bigger pattern to notice. Copy Fail is the fourth Linux kernel privilege escalation since January 2026 to reach CISA KEV with a sub-three-week federal deadline. The cadence is increasing. The combination of public PoCs, language ports appearing within days, and active-exploitation evidence inside the same window is becoming the modal Linux CVE lifecycle. Container infrastructure that relies on host-kernel isolation as a security boundary has been on borrowed time for years. Each one of these CVEs is another receipt that the boundary is not as hard as the marketing slides suggest. The shift to gVisor, Kata Containers, Firecracker, or any other VM-level isolation primitive is not paranoid — it is rational risk management based on the empirical rate of kernel CVEs that defeat namespace-based container isolation.

Tomorrow is the federal deadline. The PoC is 732 bytes. The blast radius is most of the Linux-running internet. Patch the kernel.

Sources: Microsoft Security Blog CVE-2026-31431 writeup, May 1 2026. The Hacker News coverage of the CISA KEV addition, May 1 2026. CISA Known Exploited Vulnerabilities Catalog entry, May 1 2026.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com