CISA Adds Urgent Linux Root Access Vulnerability CVE-2026-31431 to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant security vulnerability affecting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog. This addition underscores the urgency of addressing the flaw, identified as CVE-2026-31431, which has been confirmed to be actively exploited in the wild. The vulnerability carries a CVSS score of 7.8, indicating a high severity level.

Overview of the Vulnerability

CVE-2026-31431 is classified as a local privilege escalation (LPE) vulnerability, enabling unprivileged local users to gain root access. Dubbed “Copy Fail” by security researchers, this flaw has existed in the Linux kernel for nearly a decade. It originates from a logic bug in the kernel’s authentication cryptographic template, which can be exploited using a 732-byte Python-based exploit. The vulnerability was introduced through three separate changes to the Linux kernel made in 2011, 2015, and 2017.

CISA’s advisory indicates that the Linux kernel contains an incorrect resource transfer vulnerability that could facilitate privilege escalation. Fixes have been released in Linux kernel versions 6.18.22, 6.19.12, and 7.0, making it essential for users to update their systems promptly.

Technical Implications

The vulnerability affects Linux distributions released since 2017, allowing unprivileged users to corrupt the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption can lead to code execution with root permissions. The page cache represents the in-memory version of executables, enabling attackers to modify binaries at execution time without altering the disk.

According to cybersecurity firm Wiz, this vulnerability allows attackers to inject code into privileged binaries, such as /usr/bin/su, thereby gaining root privileges. The widespread use of Linux in cloud environments amplifies the potential impact of this vulnerability, particularly in containerized settings.

Risks to Containerized Environments

Kaspersky has highlighted the significant risks posed by Copy Fail to containerized environments. Technologies such as Docker, LXC, and Kubernetes typically grant processes inside a container access to the AF_ALG subsystem by default, provided the algif_aead module is loaded into the host kernel. This default configuration can lead to breaches in container isolation, allowing attackers to gain control over the physical machine.

The ease of exploitation is particularly concerning. The attack does not require complex techniques, such as race conditions or memory address guessing, which lowers the barrier for potential attackers. Detection of such attacks is challenging because the exploit utilizes legitimate system calls that are difficult to distinguish from normal application behavior.

Exploit Availability and Threat Landscape

The urgency surrounding this vulnerability is heightened by the availability of a fully functional proof-of-concept (PoC) exploit. Kaspersky has reported that versions of the original Python exploit have already been detected in open-source repositories, including implementations in Go and Rust.

CISA has not disclosed specific details about how the vulnerability is being exploited in real-world scenarios. However, the Microsoft Defender Security Research Team has noted an increase in preliminary testing activity that may lead to heightened exploitation attempts in the coming days. The attack vector is local and requires low privileges, meaning any unprivileged user on a vulnerable system can attempt to exploit it.

The Microsoft team has pointed out that while the vulnerability is not remotely exploitable in isolation, it becomes significantly impactful when combined with initial access vectors such as Secure Shell (SSH) access, malicious continuous integration (CI) job execution, or container footholds.

Potential Exploitation Pathway

Security experts have outlined a potential pathway that attackers could follow to exploit this vulnerability:

1. Conduct reconnaissance to identify a Linux host or container running a kernel version vulnerable to Copy Fail.
2. Prepare a small Python trigger for use against the endpoint.
3. Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.
4. The exploit performs a controlled 4-byte overwrite in the kernel page cache, leading to corruption of sensitive kernel-managed data.
5. The attacker escalates their process to UID 0, obtaining full root privileges.

Recommendations for Mitigation

In light of this critical vulnerability, CISA has advised Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by May 15, 2026. Updates have already been pushed by affected Linux distributions. For organizations unable to patch immediately, it is recommended to disable the affected feature, implement network isolation, and apply stringent access controls.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-05-03 16:23:00 • By the Editorial Desk