CVE-2026-31431 Copy Fail Exploit Is Public: 5 Threats to Patch This Week

The algif_aead module provides userspace applications with access to Linux kernel cryptographic primitives through the AF_ALG socket interface. **CVE-2026-31431 Copy Fail** exists in how the module handles in-place encryption operations, where input and output memory buffers occupy the same physical pages in the kernel's page cache.

Three changes to the Linux kernel accumulated between 2011 and 2017 to create the vulnerability. The 2011 change introduced AF_ALG socket support. A 2015 modification altered how the module allocates and manages cryptographic operation memory. A 2017 update changed how the kernel handles concurrent page cache reads and writes during cryptographic operations. None of the three changes was individually dangerous. Together, they allow a local unprivileged process to trigger a write to the kernel's page cache for any readable file without modifying the file on disk.

The exploit mechanism works in three steps. The attacker opens an AF_ALG socket and configures it for AEAD (Authenticated Encryption with Associated Data) in-place mode. By crafting specific message parameters, the attacker causes the kernel to overwrite its cached copy of a readable setuid binary with attacker-controlled content. The original file on disk remains unchanged, but the kernel's in-memory copy is replaced. The next execution of that binary runs the attacker's modified version with root privileges.

Researchers from Theori and Xint published a 732-byte Python proof-of-concept that reliably triggers the privilege escalation with no race conditions. Go and Rust variants of the exploit are already present in public repositories on GitHub and Codeberg. The CVSS score of 7.8 reflects the local access requirement, but the absence of race conditions makes this exploit significantly more reliable than the score alone suggests.

For context on nation-state actors actively targeting Linux perimeter appliances where Copy Fail could enable deeper lateral movement after initial access, see the [UNC5221 BRICKSTORM APT analysis](/blog/unc5221-brickstorm-china-apt-legal-saas-espionage).

CVE-2026-31431 affects all Linux distributions running a kernel released since 2017 that includes the algif_aead module, which is enabled by default in virtually every mainstream distribution. Red Hat issued advisory RHSB-2026-02 confirming all supported RHEL versions are affected. Canonical confirmed Ubuntu 18.04 LTS through 24.04 LTS. SUSE, Debian, Arch, Manjaro, and Amazon Linux 2023 advisories confirm equivalent exposure.

Cloud and container environments carry elevated risk. Any Linux workload where multiple users or processes share a kernel is directly vulnerable: Kubernetes multi-tenant clusters, shared VPS environments, CI/CD build systems, and container environments accessing the host kernel. Wiz researchers identified millions of cloud Linux workloads running vulnerable kernels as of May 1, 2026.

The attack requires local code execution as an unprivileged user and cannot be exploited remotely on its own. But any application that executes untrusted user-supplied code on a Linux host effectively converts Copy Fail into an unauthenticated root exploit chain. Web servers running user-supplied scripts, Jupyter notebook servers, developer sandboxes, and CI/CD systems accepting external pull requests are all environments where the local access requirement provides no meaningful protection.

Kernel versions 6.18.22, 6.19.12, and 7.0 contain the fix. Distribution vendors shipped patched kernels within 24 hours of coordinated disclosure. CISA's BOD 22-01 mandate applies to all federal civilian executive branch agencies with a May 15, 2026 deadline. Non-federal organizations should treat this as same-day patching given publicly available exploit code and confirmed active exploitation.

**CVE-2026-35616** is a pre-authentication API access bypass in Fortinet FortiClient EMS (Endpoint Management Server) that allows an unauthenticated remote attacker to execute arbitrary code by sending crafted API requests without any credentials. Fortinet assigned a CVSS score of 9.1 under CWE-284 Improper Access Control, and CISA added it to the Known Exploited Vulnerabilities catalog on April 6.

Defused Cyber researchers first observed exploitation in honeypot environments on March 31, 2026. Disclosure followed on April 5. CISA set a federal remediation deadline of April 9, one of the shortest KEV-to-deadline windows on record. The affected versions are FortiClient EMS 7.4.5 and 7.4.6.

Fortinet released out-of-band hotfix packages for both affected versions, but CyberScoop reporting confirmed the hotfix does not fully remediate the vulnerability. Only FortiClient EMS 7.4.7, the full patch release, closes the complete attack surface. Organizations that applied the hotfix and consider themselves protected are still exposed.

This is the second critical unauthenticated vulnerability in FortiClient EMS disclosed within weeks: CVE-2026-21643, also rated CVSS 9.1, preceded it. Two consecutive critical pre-authentication flaws in the same product within a short window signals sustained targeted research against FortiClient EMS infrastructure. Organizations running Fortinet EMS for endpoint management should treat the 7.4.7 upgrade as mandatory, review server-side API access logs for anomalous unauthenticated requests dating back to March 31, and alert any customer environments managed through compromised EMS instances.

The Everest ransomware group posted Liberty Mutual Insurance to its dark web data leak site in late April 2026, claiming to have exfiltrated over 100 GB of data including policyholder names, addresses, policy numbers, and financial records tied to individual and corporate accounts. Everest set a three-day contact deadline before staged publication of the stolen data.

**Everest** is a double-extortion ransomware operation active since at least 2020 that has claimed more than 116 victims in the past 12 months, concentrating on insurance, healthcare, and financial services. The group steals data before encrypting systems and publishes staged samples on its dark web leak site to pressure victims. The Liberty Mutual proof samples include insurance policy documentation, a terrorism policy active from October 2025 through October 2026, and group privacy notices, consistent with access to policy administration systems.

Liberty Mutual had not issued a public confirmation at time of this briefing. The pattern is consistent with double-extortion victims entering private negotiation before triggering public disclosure obligations. For insurance and financial services organizations, this follows the ShinyHunters pattern from the [April 29 weekly briefing](/blog/shinyhunters-medtronic-adt-vishing-salesforce-breach): policyholder data and third-party SaaS access remain primary attacker targets.

**Chrome CVE-2026-5281** is a use-after-free vulnerability in Chrome's WebGPU implementation through the Dawn GPU abstraction layer. Google confirmed active exploitation before the patch was released. Attackers direct Chrome users to malicious web pages that execute crafted WebGPU operations, triggering memory corruption in the GPU processing pipeline and enabling arbitrary code execution within the Chrome renderer process. When chained with a sandbox escape, this achieves full system compromise. Any system running Chrome prior to version 146.0.7680.177 is exposed to drive-by exploitation from malicious web pages.

A coordinated supply chain attack disclosed by Socket researchers and The Register on April 27, 2026 compromised multiple widely-used security and developer tools across a two-month window. **TeamPCP** attackers stole CI/CD secrets from Aqua Security's Trivy vulnerability scanner in February 2026 and used those stolen credentials to compromise additional tools by March 23, 2026.

The impacted packages include KICS (Checkmarx), LiteLLM, Telnyx, Bitwarden CLI, and two Checkmarx Open VSX plugins. The Lapsus$ extortion group and the Vect ransomware group subsequently partnered with TeamPCP to monetize the stolen data. Trivy alone infected over 1,000 cloud environments. Bitwarden CLI affects more than 50,000 businesses and 10 million users. One confirmed victim, Mercor, had 939 GB of source code exfiltrated after LiteLLM was compromised.

The stolen data includes cloud provider credentials, SSH keys, and Kubernetes configuration files from affected CI/CD environments. Any organization whose pipeline used any of these tools between February and April 2026 should treat every credential and key in those pipelines as compromised regardless of whether anomalous activity has been observed. LiteLLM was also covered in the [May 1 weekly briefing](/blog/cpanel-zero-day-snow-malware-weekly-roundup) in the context of CVE-2026-42208 SQL injection; the TeamPCP supply chain compromise is a separate, compounding incident affecting the same software in the same period.

Rotate all affected secrets before end of business Monday. Audit CI/CD build logs for unexpected outbound connections to external endpoints and review cloud provider access logs for API calls originating from unusual locations or at unusual times.

The following indicators of compromise and version checks address all five confirmed threats in this briefing. Run these against your SIEM, EDR, asset inventory, and configuration management tooling immediately. For CVE-2026-31431, no network-layer IOC detection is viable since the exploit runs entirely locally. Version-based verification and kernel patch status are the only reliable controls for Copy Fail.

Security teams returning Monday May 4 face confirmed active exploitation across five threat categories with public exploit code for the highest-urgency item. The following steps are ordered by CISA urgency, CVSS score, and available exploit code. Complete all seven before end of business today.

CVE-2026-31431 Linux privilege escalation is this week's most urgent exposure: a 732-byte public exploit grants root on every Linux system since 2017, CISA has confirmed active exploitation, and the federal patch deadline is May 15 — 11 days from today. Fortinet CVE-2026-35616 at CVSS 9.1 requires a full upgrade to FortiClient EMS 7.4.7, not just the hotfix. Update Chrome, rotate supply chain secrets, and cross-reference the latest CISA KEV additions against your asset inventory before end of business Monday. One unpatched kernel or one un-rotated CI/CD secret is all an attacker needs this week.