Linux "Copy Fail" CVE-2026-31431 Added to CISA KEV — Every Kernel Since 2017 Affected
CISA added CVE-2026-31431 — "Copy Fail" — to its KEV catalog after confirming active exploitation of a Linux kernel privilege escalation flaw affecting every distribution running kernels since 2017, allowing unprivileged users to gain root.
CISA has added CVE-2026-31431 — dubbed "Copy Fail" — to its Known Exploited Vulnerabilities catalog after confirming active exploitation of a Linux kernel privilege escalation flaw that affects every distribution running kernels released since 2017, allowing any unprivileged local user to gain root.
WASHINGTON, D.C. — CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on May 1, 2026, confirming active exploitation of a Linux kernel local privilege escalation vulnerability affecting the authencesn cryptographic template in kernels released since 2017. Dubbed "Copy Fail" by researchers at Xint.io and Theori who discovered the flaw, the vulnerability allows an unprivileged local attacker to gain root permissions on any unpatched Linux system. The flaw is present across all major Linux distributions — Debian, Ubuntu, Red Hat, Fedora, SUSE, and their derivatives — and affects any kernel from 4.9 through the unpatched versions of 6.x. With CISA's KEV addition, federal civilian executive branch agencies are required to patch by the applicable remediation deadline.
Vulnerability Profile
What Copy Fail Does and Why It Matters
CVE-2026-31431 is a local privilege escalation — it does not enable remote code execution directly, but it dramatically amplifies the impact of any initial access. An attacker who gains low-privileged access to a Linux system through phishing, web application exploitation, stolen credentials, or supply chain compromise can use Copy Fail to immediately escalate to root, gaining full control of the system. The flaw is in the authencesn module — a cryptographic authentication and encryption module used by the Linux kernel's networking stack. An incorrect resource transfer between security spheres in this module allows a local attacker to manipulate kernel memory in a way that results in privilege escalation. Because authencesn has been present in the Linux kernel since 2017, the vulnerability spans nine years of kernel releases across every major distribution.
The Local Privilege Escalation Threat Model in 2026
Local privilege escalation vulnerabilities are sometimes dismissed as lower severity than remote code execution — they require an existing foothold. In 2026, that framing understates the actual risk. Modern attack chains routinely combine an initial access vector (phishing, web app RCE, supply chain compromise, stolen credentials) with a privilege escalation step to achieve full system control. Copy Fail is a reliable, publicly exploited privilege escalation step that works across essentially every Linux distribution in production today. For organizations running Linux in cloud environments, containers, or CI/CD infrastructure, an attacker who gains any foothold and can use Copy Fail achieves root — and root in many cloud environments enables credential theft, lateral movement, and infrastructure control far beyond the initial compromised host. The earlier Pack2TheRoot Linux LPE coverage provides additional context on cross-distribution privilege escalation risks. All vulnerability coverage is tracked on The CyberSignal.
What to do now
Apply the latest kernel updates from your Linux distribution immediately — all major distributions have released patched kernel versions. For Debian and Ubuntu users, run apt update && apt upgrade. For Red Hat and Fedora, run dnf update kernel. After patching, reboot the system to load the new kernel — the patch is not effective until the updated kernel is running. If immediate patching is not possible, assess whether authencesn can be disabled in your environment via kernel module blacklisting — consult your distribution's security advisory for environment-specific guidance. Private sector organizations should treat the CISA KEV deadline as their own target date given confirmed active exploitation.
The CyberSignal Analysis
Signal 01 — Nine Years of Affected Kernels Means Universal Exposure
The 2017 introduction date of the vulnerable authencesn code means Copy Fail affects every Linux system deployed in the last nine years that has not applied the patch. In enterprise environments, that includes servers running long-term support kernel versions, container base images pinned to older kernel versions, cloud instances with automatic updates disabled, and embedded Linux systems in network devices and OT equipment. The breadth of exposure makes this a systemic patching exercise, not a targeted remediation for a narrow deployment profile.
Signal 02 — LPE Plus Supply Chain Compromise Equals Full Infrastructure Takeover
The Mini Shai-Hulud supply chain campaign, active throughout April 2026, targeted developer machines and CI/CD pipelines. Copy Fail, active in the same window, provides reliable privilege escalation on any Linux system those compromised pipelines touch. The combination — supply chain compromise for initial access, Copy Fail for privilege escalation — represents a complete attack chain against Linux-based developer and cloud infrastructure that requires no zero-day and no sophisticated custom tooling. Security teams patching one without the other are leaving half the chain intact.
Signal 03 — CISA KEV Addition Reflects Confirmed Exploitation at Scale
CISA does not add vulnerabilities to the KEV catalog on theoretical risk — confirmation of active exploitation in the wild is required. The Copy Fail KEV addition means that exploitation was already observed and documented before May 1. Given the universal distribution exposure and the public availability of exploit code, the exploitation surface will expand rather than contract until the kernel update is universally applied across affected systems.
