CISA Warns: Copy Fail Linux Flaw Exploited for Root Access

CISA warned Monday that threat actors have begun actively exploiting a newly disclosed Linux kernel vulnerability dubbed “Copy Fail,” just one day after Theori security researchers published an in‑depth analysis and a proof‑of‑concept (PoC) exploit. The flaw, which resides in the kernel’s copy_file_range() system call, can be turned into a use‑after‑free condition that lets a local attacker escalate privileges to root. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the issue within the prescribed timeframe.

The technical root cause is a race condition in the implementation of copy_file_range() that can be triggered by a specially crafted splice() or sendfile() call. When the race wins, the kernel frees a memory buffer while a subsequent operation still holds a reference to it, creating a use‑after‑free scenario. By carefully grooming kernel heap objects via userfaultfd and then dereferencing the dangling pointer, the PoC writes arbitrary data to a kernel‑space location, overwriting a credential structure and obtaining root privileges. The vulnerability is tracked as CVE‑2023‑32233 and affects Linux kernels 5.15 through 6.2, including the default kernels of Ubuntu 22.04 LTS, Debian 12, Fedora 38, Red Hat Enterprise Linux 8.8, and SUSE Linux Enterprise 15 SP4.

Several threat actors have already integrated the Copy Fail exploit into their toolkits. According to CISA’s advisory, an advanced persistent threat (APT) group linked to state‑sponsored activity has used the flaw to compromise Linux‑based web servers and container workloads, leveraging it to escape containers and move laterally within enterprise networks. The attackers pair the exploit with misconfigured unprivileged user namespaces to maximize impact, and they have been observed exfiltrating sensitive configuration files after obtaining root.

CISA recommends immediate patching: update to the latest stable kernel releases that include the fix for CVE‑2023‑32233, which is already available in the upstream Long Term Support (LTS) branches. If patching is not feasible in the short term, administrators should disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0), enforce strict SELinux or AppArmor policies, and monitor for the presence of the known PoC code signatures. Organizations are also advised to review logs for indicators of compromise such as unexpected calls to splice() combined with userfaultfd activity.