Vulnerability Management , Patch/Configuration Management , Governance, Risk and Compliance , Government security Copy Fail bug added to CISA’s list of known exploited vulnerabilities May 4, 2026 Share By Steve Zurier (Adobe Stock) The Cybersecurity and Infrastructure Security Agency (CISA) on May 1 added the “Copy Fail” bug to its Known Exploited Vulnerabilities (KEV) catalog. Security pros were concerned about CVE-2026-31431 when it was first reported last week because a single 732-byte Python script could obtain root privileges on essentially all Linux distributions shipped since 2017. “With its addition to the KEV catalog, Copy Fail should be considered a ‘patch right now’ situation because the public exploit is reliable and works on almost all active Linux systems,” said David Brumley, chief AI and science officer at Bugcrowd. Ryan McCurdy, vice president at Liquibase, said teams should consider Copy Fail a “patch-right-now” issue because it gives an attacker a fast path from local access to root across Linux systems many organizations rely on every day. “CISA adding it to KEV tells us this is no longer theoretical,” said McCurdy. “What makes this one dangerous is the combination of broad reach and reliable exploitation across mainstream distributions. In environments like CI runners, container hosts, and shared Linux infrastructure, a single foothold can become full compromise very quickly.” James Wickett, chief executive officer of DryRun Security, said it’s a big deal because there’s working exploit code and active use: it gives attackers a reliable path from low-privileged access to root on widely deployed Linux systems. “It’s hard to think of places where Linux isn’t running, and modern environments are full of places where code gets processed or executed by design, whether that’s CI/CD pipelines , build systems, dev tools, or even some web backends,” said Wickett. “If an attacker can run code within a container on a vulnerable host, this flaw can be used to gain root on the underlying node, effectively breaking the container boundary and exposing the host and other workloads. We’ve gotten comfortable treating containers as isolation, but they all depend on the same kernel, so when that layer fails, the blast radius expands quickly from a single process to the entire system.” Chris Yule, senior director of threat intelligence at Sophos, pointed out that Copy Fail runs as a local privilege escalation (LPE) vulnerability, which means an attacker already needs authenticated access to the target system before they can exploit it. “The risk is that someone with limited access could potentially elevate their privileges and take control of a system they are already able to log into,” said Yule. “That makes it important to patch, particularly on systems that are routinely accessed by untrusted or lower-privileged users. But this is not a ‘sky is falling’ scenario where every exposed system suddenly becomes vulnerable to anyone on the internet." Damon Small, a board member at Xcape, Inc., said the real danger isn’t just that Copy Fail grants root access — it’s the stealth and stability of the mechanism. Small explained that most kernel exploits involve "spraying" memory or winning high-speed race conditions that can crash the server if they fail. “Copy Fail is deterministic,” said Small. “By abusing the algif_aead crypto module, an attacker can trick the kernel into writing four controlled bytes directly into the page cache — the system's shared memory for files.” So by targeting a privileged binary like /usr/bin/su or /usr/bin/sudo in memory, Small said an attacker can "flip the switch" on authentication logic. Because this happens entirely in RAM, Small said the physical file on the disk remains unchanged, effectively blinding traditional file-integrity monitoring (FIM) and checksum-based defenses. Small outlined three reasons why this is a “patch right now” situation: The container escape primitive: In a Kubernetes or Docker environment, the kernel gets shared. A single compromised container can use this flaw to "poison" the host's page cache, granting the attacker root access to the underlying physical node and, by extension, every other container running on that machine. Invisible to detection: Because the exploit leaves the physical disk untouched and requires no complex "ROP chains" or memory grooming, standard EDR tools often fail to flag the activity until the attacker has already achieved root persistence. Broad applicability: This isn't a niche bug. It affects virtually every mainstream Linux distribution shipped since 2017 (Ubuntu, Amazon Linux 2023, RHEL, and SUSE). If a system hasn't been patched in the last 72 hours, it’s likely vulnerable. “Organizations should prioritize patching public-facing servers, CI/CD runners, and multi-tenant cloud nodes immediately,” said Small. “If a reboot is not feasible during business hours, the algif_aead module should be disabled via modprobe -r as a stopgap measure to kill the primary attack vector.” Steve Zurier Related Malware New botnet targets gaming servers via misconfigured Jenkins SC Staff May 4, 2026 The attackers gained initial access by abusing the scriptText endpoint of the Jenkins server, achieving remote code execution (RCE) through a Groovy script. Vulnerability Management Remote building compromise likely with EnOcean SmartServer bugs SC Staff May 1, 2026 SecurityWeek reports that vulnerable internet-exposed EnOcean SmartServer IoT platform instances impacted by the security bypass flaw, tracked as CVE-2026-22885, and the remote code execution issue, tracked as CVE-2026-20761, could be targeted to remotely compromise smart buildings, data centers, and factories. AI/ML Google: Addressing max severity Gemini CLI bug may require further action SC Staff May 1, 2026 Despite already issuing fixes for a maximum severity vulnerability in its Gemini CLI tool, Google has warned that organizations leveraging the command-line AI tool through GitHub Actions, or in headless mode, may have to perform additional actions to avoid breaking their CI/CD workflows, The Register reports. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Business Impact Analysis (BIA) Bug Buffer Overflow British Standard 7799 Chain of Custody Competitive Intelligence Data Custodian Disassembly Due Care Due Diligence You can skip this ad in 5 seconds