The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities (KEV) catalog. This move signifies that the flaw, which allows local privilege escalation, is actively being exploited in the wild. The vulnerability, officially designated CVE-2026-31431, carries a CVSS score of 7.8 and enables unprivileged local users to gain root-level access on affected Linux systems.
The “Copy Fail” vulnerability, discovered by researchers at Theori and Xint, leverages a logic bug within the Linux kernel’s authentication cryptographic template. This flaw, introduced through updates between 2011 and 2017, allows attackers to corrupt the kernel’s page cache of any readable file. By altering this in-memory representation of files, including sensitive setuid binaries, an attacker can effectively modify them at execution time, leading to code execution with root privileges. Fixes for this vulnerability are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
Linux Kernel Vulnerability Requires Urgent Patching
CISA’s inclusion of CVE-2026-31431 in its KEV catalog underscores the immediate threat posed by this local privilege escalation flaw. The vulnerability impacts various Linux distributions shipped since 2017, making a broad range of systems potentially vulnerable. The exploit is particularly concerning for cloud environments and containerized infrastructures, where Linux is dominant.
According to analysis by security vendor Kaspersky, the “Copy Fail” vulnerability presents a significant risk to container isolation. Container platforms like Docker, LXC, and Kubernetes often grant processes within containers access to the AF_ALG subsystem by default if the algif_aead module is loaded onto the host kernel. This can allow an attacker to breach container isolation and potentially gain control over the physical machine. The ease of exploitation, requiring no complex techniques like race conditions or memory address guessing, lowers the barrier to entry for threat actors.
Furthermore, detecting attacks leveraging this vulnerability is challenging. The exploit utilizes legitimate system calls, making it difficult to distinguish malicious activity from normal application behavior. The availability of fully functional exploit proof-of-concept (PoC) code, with Go and Rust versions already appearing in open-source repositories, amplifies the urgency for patching.
Exploitation Pathways and Impact
While CISA has not disclosed specific details of ongoing exploitation, the Microsoft Defender Security Research Team has observed preliminary testing activity. They anticipate increased threat actor exploitation in the coming days. The attack vector is local (AV:L), requiring only low privileges and no user interaction. However, this vulnerability is not remotely exploitable in isolation and becomes highly impactful when chained with an initial access vector, such as compromised SSH credentials, malicious CI job execution, or existing footholds in containerized environments.
Microsoft has detailed a potential exploitation route: an attacker first identifies a vulnerable Linux host or container. They then prepare a Python trigger and execute it from a low-privilege context. The exploit performs a controlled overwrite in the kernel page cache, corrupting sensitive data, which then allows the attacker’s process to escalate to UID 0 and obtain full root privileges.
Federal Civilian Executive Branch (FCEB) agencies have been directed by CISA to apply the necessary fixes by May 15, 2026, as updates have been released by impacted Linux distributions. For organizations unable to patch immediately, mitigation strategies include disabling the affected feature, implementing robust network isolation, and enforcing stringent access controls. The ongoing monitoring of exploitation patterns for this Linux kernel vulnerability will be crucial in the coming weeks.