Technical description
A nine-year-old logic bug in the Linux kernel's authentication cryptographic template (AF_ALG subsystem) allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. This corruption allows attackers to inject code into privileged binaries (e.g., /usr/bin/su) and gain root privileges. The vulnerability, nicknamed 'Copy Fail,' was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 1, 2026, citing evidence of active exploitation in the wild.
Attack vector
Requires low-privilege local access (e.g., SSH, compromised container, or malicious CI job execution) but needs no user interaction. A 732-byte Python exploit is publicly available, with Go and Rust versions already detected in open-source repositories. The attack is perfectly reliable, uses only legitimate system calls, and remains invisible to traditional endpoint detection systems. In containerized environments, the vulnerability enables container escape if the host kernel has the algif_aead module loaded (default in Docker, LXC, Kubernetes).
Affected systems
All Linux distributions shipped since 2017 (kernels with the specific memory optimization commit). Critical impact on AI/ML infrastructure using containerized workloads (Docker, Kubernetes) and cloud-based training/inference environments. Kaspersky notes particular risk to containerized AI environments where unprivileged processes inside containers can exploit the host kernel to gain control of the physical machine.
Mitigation
Patch to Linux kernel versions 6.18.22, 6.19.12, or 7.0. CISA requires Federal Civilian Executive Branch agencies to remediate by May 15, 2026. If patching is not immediate, disable the AF_ALG subsystem, implement network isolation, and apply strict access controls. Microsoft Defender Security Research Team reports seeing preliminary testing activity suggesting increased threat actor exploitation over the coming days.