🚨 Active exploitation 🐧 Linux

Copy Fail — Linux CVE-2026-31431: Root Access in 732 Bytes, Active Exploitation Confirmed by CISA

📅 4 May 2026 ⏱️ 5 min de lecture 🚨 Active exploitation — CISA KEV

A Python script of just 732 bytes is enough to get root on almost every Linux server since 2017. The Copy Fail flaw (CVE-2026-31431) was discovered on 29 April 2026 by an AI and has just been added by CISA to its catalogue of actively exploited vulnerabilities. Debian, Ubuntu, RHEL, SUSE, Amazon Linux — all affected. Here's what you need to do right now.

732

Octets — taille du script d'exploitation Python

7.8/10

Score CVSS — Sévérité Haute

9 ans

La faille dormait dans le code depuis 2017

🐧 What is Copy Fail?

Copy Fail is a local privilege escalation flaw in the Linux kernel. In plain terms: any normal user on a Linux system can, within seconds, become root — the all-powerful user who controls the entire system.

The flaw is in the Linux kernel's cryptographic subsystem, specifically in the authencesn module. It was introduced in August 2017 during a code optimisation, and nobody noticed it for nearly 9 years — until an AI security tool called Xint Code found it in one hour.

🚨 What makes Copy Fail particularly dangerous

100% reliable — no precise timing, no race condition. The same script works unchanged across all tested distributions
No external dependencies — only standard Python libraries available everywhere
Undetectable — the exploit writes nothing to disk, only modifying the kernel memory cache
Breaks container isolation — Docker, Kubernetes, LXC are all vulnerable
Active exploitation confirmed — CISA added CVE-2026-31431 to its KEV catalogue on 3 May 2026

🖥️ How it works (simply)

Without going into technical details, here's what the exploit does in 4 steps:

Step 1: Opens a connection to the kernel's cryptographic interface via AF_ALG
Step 2: Exploits the flaw to write 4 controlled bytes into the memory cache of /usr/bin/su
Step 3: Replaces the binary in memory without ever touching disk — antivirus sees nothing
Step 4: Runs su — and gets a full root shell

# Result of the exploit on unpatched Ubuntu 22.04
$ id
uid=1000(user) gid=1000(user)  ← normal user

$ python3 copy_fail_exp.py
[+] Flaw exploited successfully

$ id
uid=0(root) gid=1000(user)  ← root obtained!

📋 Which distributions are affected?

❌ Ubuntu 22.04 LTS (unpatched)

❌ Ubuntu 24.04 LTS (unpatched)

❌ Debian 12 (unpatched)

❌ RHEL 10.1 (unpatched)

❌ Amazon Linux 2023 (unpatched)

❌ SUSE 16 (unpatched)

✅ Ubuntu (update available)

✅ Debian (patch released)

Any Linux kernel built between 2017 and the April 2026 patch is vulnerable — that's almost every Linux server in production.

✅ How to protect yourself now

✅ Solution 1 — Update the kernel (recommended)

Ubuntu/Debian: sudo apt update && sudo apt full-upgrade then reboot
RHEL/Rocky/AlmaLinux: sudo dnf update kernel then reboot
SUSE: sudo zypper update then reboot
Fixed versions: kernels 6.18.22, 6.19.12, 7.0 and distro backports

⚠️ Solution 2 — Immediate mitigation if you cannot reboot

Disable the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
This disabling does not affect most applications (not LUKS, not SSH)
US federal agencies have until 15 May 2026 to patch

🤔 What about home users?

If you don't use Linux on your personal computer, you're not directly affected. But this flaw impacts:

Synology/QNAP NAS devices — often running Linux
Raspberry Pi and home mini-servers
Web servers hosting websites — including ones you might visit
Android devices — based on the Linux kernel

💡 What this reveals about cybersecurity in 2026

An AI found this flaw in 1 hour — not a human in 9 years
AI accelerates vulnerability discovery in both directions — for defenders AND attackers
Automatic updates are more important than ever — enable them on all your devices

Is your NAS or server vulnerable?

Describe your setup to CyberGuard — it'll guide you through checking and fixing it.

🤖 Talk to CyberGuard →

📖 Complete guide — Protect Your Family Online

30 pages · Updates, scams, passwords · Instant download

Buy $6.90 →

📖 Related articles