CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV - The Hacker News
The Hacker NewsArchived May 19, 2026✓ Full text saved
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV The Hacker News
Full text archived locally
✦ AI Summary· Claude Sonnet
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
Ravie LakshmananMay 03, 2026Vulnerability / Container Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail by Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
"Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation," CISA said in an advisory.
In a write-up published earlier this week, the researchers said Copy Fail is the result of a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.
The high-severity security vulnerability impacts Linux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel's in-memory page cache of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root permissions.
"Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk," Google-owned Wiz said. "This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges."
The prevalence of Linux in cloud environments means the vulnerability has a significant impact. Kaspersky, in its analysis of the flaw, said Copy Fail poses a serious risk to containerized environments, as Docker, LXC, and Kubernetes "grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel" by default.
"Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine," the Russian security vendor said. "At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker."
"Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior."
Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust versions of the original Python implementation have already been detected in open-source repositories.
CISA did not share any details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it's "seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days."
"The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation," it added. "Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds."
The tech giant has also detailed one possible route attackers could take to exploit the vulnerability -
Conduct reconnaissance to identify a Linux host or container running a kernel version susceptible to Copy Fail.
Prepare a small Python trigger for use against the endpoint.
Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.
Exploit performs a controlled 4‑byte overwrite in the kernel page cache, leading to corruption of sensitive kernel‑managed data.
Attacker escalates their process to UID 0 and obtain full root privileges.
Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Cloud security, Container Security, cybersecurity, linux, privilege escalation, Threat Intelligence, Vulnerability
⚡ Top Stories This Week
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Load More ▼
⭐ Featured Resources
[eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
Identify Internal Attack Surfaces More Efficiently With a Free Assessment
[Guide] Stop Email Fraud Before It Turns Into Ransomware Damage
[Webinar] Learn How to Handle Critical SOC Alerts With AI Support