CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Friday added a newly disclosed security flaw affecting various Linux distributions to its catalog known as Known Exploited Vulnerabilities (KEV), citing evidence of active exploits in the wild.
The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a local privilege escalation (LPE) scenario that could allow an unprivileged local user to obtain root. The nine-year-old fault is also traced as Copying Failed by Theory and Xint. A fix was made available for Linux kernel versions 6.18.22, 6.19.12, and 7.0.
“The Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow elevation of privilege,” CISA said in an advisory.
In a paper published earlier this week, the researchers said Copy Fail is the result of a logical bug in the Linux kernel’s cryptographic authentication model that allows an attacker to reliably trigger privilege escalation with a 732-byte Python-based exploit. It was introduced in three different, each harmless changes to the Linux kernel made in 2011, 2015, and 2017.
A critical security vulnerability affects Linux distributions since 2017, and allows an unprivileged local user to gain root-level access by corrupting the kernel memory page cache of any readable file, including setuid binaries. This vulnerability can be performed by unprivileged users and can lead to code execution with root permissions.
“Because the page cache represents an in-memory version of the executable, changing it effectively changes the beans at runtime without touching disk,” said Google-owned Wiz. “This allows attackers to inject code into special binaries (eg, /usr/bin/su) and thus gain root privileges.”
The prevalence of Linux in cloud environments means that vulnerabilities have a significant impact. Kaspersky, in his analysis of the bug, said Copy Fail poses a significant risk to containerized environments, as Docker, LXC, and Kubernetes “give processes inside the container access to the AF_ALG subsystem when the algif_aead module is loaded into the host kernel” by default.
“Copy Fail poses the risk of breaching individual containers and taking control of a physical machine,” said a Russian security vendor. “At the same time, the exploit does not require the use of complex techniques, such as race conditions or guessing the memory address, which lowers the barrier to entry for a potential attacker.”
“Detecting the attack is difficult because the exploit uses only legitimate system calls, which are difficult to distinguish from normal application behavior.”
Adding to this urgency is the availability of PoC (PoC), Go and Rust versions of the original Python implementation have been found in open repositories.
CISA did not share any details on how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it is “seeing initial test activity that could lead to an increase in exploits by actors in the next few days.”
“The attack vector is local (AV: L) and requires low privileges without user interaction, meaning any unprivileged user on the vulnerable system can attempt to exploit it,” it added. “Unfortunately, these vulnerabilities are not remotely exploitable in isolation, but they are highly impactful when tied to an initial access vector such as Secure Shell (SSH) access, malicious CI execution, or container bases.”
The tech giant also detailed one particular route attackers could take to exploit the vulnerability –
- Run a check again to identify the Linux host or container that is running a kernel version that is vulnerable to Copy Failure.
- Configure a small Python trigger to be used against the endpoint.
- Execute the exploit from a low-privilege context, such as a standard Linux user on the host or a vulnerable container process with no special privileges.
- The exploit performs a controlled 4‑byte overwrite in the kernel page cache, resulting in the corruption of sensitive kernel-managed data.
- The attacker elevates his process to UID 0 and gains full root privileges.
Federal Civilian Executive Branch (FCEB) agencies have been warned to apply a fix by May 15, 2026, as updates have been pushed to affected Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network segmentation, and implement access controls.
