CISA Adds Actively Exploited Linux Root Bug to KEV List
▼ Summary
– CISA added Linux kernel vulnerability CVE-2026-31431 to its Known Exploited Vulnerabilities catalog due to active exploitation.
– The nine-year-old local privilege escalation flaw allows an unprivileged user to gain root access by corrupting the kernel’s in-memory page cache.
– A 732-byte Python-based exploit and working proof-of-concept code are publicly available, with Go and Rust versions also detected.
– The vulnerability poses a serious risk to cloud and containerized environments by potentially breaching container isolation.
– FCEB agencies must apply fixes by May 15, 2026; alternatives include disabling the affected feature, network isolation, and access controls.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated a recently uncovered security flaw affecting multiple Linux distributions by adding it to its Known Exploited Vulnerabilities (KEV) catalog, confirming that active exploitation is already occurring in the wild.
Designated as CVE-2026-31431 with a CVSS score of 7.8, this vulnerability functions as a local privilege escalation (LPE) flaw, enabling an unprivileged local user to gain root access. Dubbed Copy Fail by researchers from Theori and Xint, this bug has existed for nine years. Patches have been rolled out in Linux kernel iterations 6.18.22, 6.19.12, and 7.0.
According to CISA’s advisory, the “Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.”
In a detailed analysis published earlier this week, researchers explained that Copy Fail stems from a logic error within the Linux kernel’s authentication cryptographic template. This error lets an attacker reliably trigger privilege escalation using a compact 732-byte Python-based exploit. The flaw was introduced through three separate, seemingly benign changes to the kernel made in 2011, 2015, and 2017.
This high-severity vulnerability affects Linux distributions shipped since 2017. It allows an unprivileged local user to achieve root-level access by corrupting the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption can be performed without special privileges and may lead to code execution with root permissions.
“Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,” noted Google-owned Wiz. “This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges.”
Given Linux’s dominance in cloud environments, the vulnerability carries significant weight. Kaspersky, in its assessment, warned that Copy Fail presents a serious threat to containerized environments such as Docker, LXC, and Kubernetes. These platforms “grant processes inside a container access to the AFALG subsystem if the algifaead module is loaded into the host kernel” by default.
“Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine,” the Russian security firm stated. “At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.”
“Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.”
The urgency is compounded by the existence of a fully functional exploit proof-of-concept (PoC). Kaspersky reported that Go and Rust versions of the original Python code have already appeared in open-source repositories.
CISA did not disclose specific details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team stated it is “seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days.”
“The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,” the team added. “Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds.”
Microsoft also outlined a possible attack chain:
- Reconnaissance to identify a Linux host or container running a susceptible kernel version.Federal Civilian Executive Branch (FCEB) agencies have been directed to apply patches by May 15, 2026, as updates have been released by affected Linux distributions. If immediate patching is not feasible, organizations are advised to disable the impacted feature, enforce network isolation, and tighten access controls.
