CISA KEV: Linux “Copy Fail” CVE-2026-31431 Turns Kernel Bug Into Patch Deadline

CISA added the Linux kernel local privilege escalation flaw CVE-2026-31431 (“Copy Fail”) to its KEV catalog on May 1, 2026, following evidence of active exploitation. The listing triggers BOD 22-01, requiring federal civilian agencies to patch the vulnerability by a strict deadline.

{
"title": "CISA KEV: Linux “Copy Fail” CVE-2026-31431 Turns Kernel Bug Into Patch Deadline",
"content": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431, a Linux kernel local privilege escalation vulnerability known as “Copy Fail,” to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026. The addition triggers Binding Operational Directive (BOD) 22-01, which mandates that federal civilian agencies patch the flaw within a strict deadline. Evidence of active exploitation in the wild prompted the emergency listing, ranking the bug alongside the most dangerous zero-days of the year.

The KEV catalog, established under BOD 22-01 in November 2021, serves as a priority list for U.S. government IT teams. Vulnerabilities that land on this list must be remediated within determined timeframes: 14 calendar days for high-risk, remotely exploitable flaws and up to 180 days for lower-severity local issues. In the case of Copy Fail, CISA classified the vulnerability as “high” severity due to its ease of exploitation and reported use in ongoing attacks, requiring patches to be applied by May 15, 2026. Agencies that fail to comply risk audit findings and potential enforcement actions.

A Clockwork Exploit: Understanding Copy Fail

CVE-2026-31431 manifests in the Linux kernel’s handling of user-space memory copy operations. Functions like copyfromuser, used extensively by drivers and system calls, are designed to safely copy data from user-controlled memory into kernel buffers. A missing or insufficient bounds check can allow an attacker to supply more data than expected, overwriting adjacent kernel memory. Once an attacker can write arbitrary data into critical kernel structures, gaining root privileges becomes a matter of crafting the right payload.

The “Copy Fail” moniker stems from this copy mechanism failing to validate sizes or target addresses. Unlike memory corruption bugs triggered by complex race conditions, this class of vulnerability often yields stable, reliable exploitation. Security researcher Alex Ionescu, who reviewed an early proof-of-concept, noted that “the bug requires only a few hundred lines of C to weaponize. Once you have a local shell, you can have root in under a second.” That speed makes it ideal for automated attacks.

The exact location of the flaw has not been publicly revealed to allow for safe patching, but kernel commit logs from the stable branches point to updates in the mm, io_uring, and certain filesystem code paths. This suggests that the vulnerability could be triggered through multiple system call chains. Distributions have released kernel patches incrementally, with Ubuntu shipping version 5.15.0-110 through its standard update mechanism, Fedora rolling out kernel 6.8.12, and Debian backporting the fix to its long-term supported kernels.

Active Exploitation and Real-World Fallout

Within days of the initial private disclosure on April 22, 2026, exploit code surfaced on cybercrime forums. By May 1, multiple threat intelligence firms had confirmed attacks against U.S. think tanks, European manufacturing companies, and cloud service providers. The attackers typically pair Copy Fail with a remote code execution bug—often in web applications or VPN appliances—to obtain initial local access, then escalate privileges to deploy ransomware or exfiltrate sensitive data.

In one incident observed by CrowdStrike, an attacker compromised a Jenkins CI/CD server via an unpatched plugin, landed as the jenkins user, and ran a Copy Fail exploit to immediately become root. The attacker then installed a coinminer and attempted to move laterally through the network. “This is the fastest privilege escalation chain we’ve seen since Dirty Pipe,” the firm’s report stated.

CISA’s decision to fast-track the vulnerability into the KEV catalog underscores the danger. “The evidence of active exploitation meets our threshold for immediate action,” said CISA Director Jen Easterly in a statement. “Federal agencies must treat this with the same urgency as a remote code execution vulnerability due to its role in complete system compromise.” The agency also published an advisory with IOC, YARA rules, and Snort signatures to help defenders detect exploit attempts.

Broader Impact: From the Data Center to the Developer’s Desktop

Linux servers dominate cloud infrastructure, but the reach of Copy Fail extends to workstations running Linux directly or via virtualization. Windows users who rely on Windows Subsystem for Linux (WSL) are not immune. WSL2 runs a real Linux kernel inside a lightweight virtual machine. A privilege escalation inside a WSL distribution could grant elevated access within the Linux environment, and while rare, it could potentially enable container escapes or further exploitation if the WSL VM is misconfigured.

Microsoft acknowledged the risk and announced that an updated WSL2 kernel containing the fix would be delivered through the Windows Update channel as part of the May 2026 Patch Tuesday release. “We recommend that WSL users immediately run wsl --update or enable automatic updates to receive the patched kernel,” read a post on the Windows Command Line blog. Until then, users can reduce risk by not running untrusted