CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 (CVSS 7.8) to KEV

Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalog. This means the vulnerability is actively exploited, so organizations must address it immediately. CVE-2026-31431 is a local privilege escalation (LPE) flaw affecting various Linux distributions.

This nine-year-old vulnerability, also tracked as Copy Fail by researchers, allows an unprivileged local user to obtain root access. Its inclusion in the KEV catalog shows that affected systems require prompt remediation. Linux's widespread use in modern infrastructure means this flaw affects system security.

PurpleOps tracks critical vulnerabilities and active exploitation to provide cyber threat intelligence platform insights. Knowing the technical details and potential impact of flaws like CVE-2026-31431 helps maintain strong security. This article details the vulnerability, how it is exploited, and the necessary mitigation steps.

What is CVE-2026-31431 and why is it critical?

CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel, commonly referred to as Copy Fail. It is critical because it allows an unprivileged local user to gain root-level access to a vulnerable system. The vulnerability carries a CVSS score of 7.8, indicating high severity.

This flaw stems from a logic bug in the Linux kernel's authentication cryptographic template. It was inadvertently introduced through three separate, individually harmless code changes made to the kernel in 2011, 2015, and 2017. These changes, when combined, created a condition where the kernel performs an incorrect resource transfer between spheres, leading to the privilege escalation vulnerability.

Specifically, Copy Fail allows an attacker to reliably trigger privilege escalation by corrupting the kernel's in-memory page cache of any readable file, including sensitive system files like setuid binaries. By modifying the page cache, an attacker can effectively alter executables at runtime without leaving traces on the disk. This allows for code injection into privileged binaries (e.g., /usr/bin/su), leading to root privileges.

The vulnerability impacts many Linux distributions shipped since 2017. Fixes have been released in the following Linux kernel versions:

  • 6.18.22
  • 6.19.12
  • 7.0

Organizations should identify if their systems run affected kernel versions and prioritize patching or mitigation. For more information on specific Linux kernel vulnerabilities, see previous analyses: CVE-2026-31431: Linux Privilege Escalation to Root and CVE-2026-31431: Root Access.

Exploitation and Impact

CVE-2026-31431 is actively exploited, confirmed by its inclusion in CISA's KEV catalog. Fully working exploit proof-of-concepts (PoCs) are available, making it easier for potential attackers and increasing the urgency of addressing this flaw.

The initial exploit PoC was developed in Python. Go and Rust versions have since appeared in open-source repositories. This rapid development and sharing of exploit code suggests more threat actor exploitation. The Microsoft Defender Security Research Team also reported preliminary testing, indicating an increase in actual attacks.

The attack vector for CVE-2026-31431 is local (AV:L), requiring low privileges and no user interaction. This means any unprivileged user on a vulnerable system can initiate the exploitation. The vulnerability is not remotely exploitable on its own. However, its impact grows when combined with an initial access vector, such as Secure Shell (SSH) access, malicious Continuous Integration (CI) job execution, or compromised container footholds. This makes it an important component in multi-stage attacks, allowing an attacker to escalate privileges after gaining initial entry.

The exploitation process for Copy Fail typically follows these steps:

  1. Reconnaissance: Identify a Linux host or container running a kernel version vulnerable to Copy Fail.
  2. Exploit Preparation: Prepare a small Python (or Go/Rust) trigger specifically for the endpoint.
  3. Execution: Execute the exploit from a low-privilege context, either as a regular Linux user on a host or from within a compromised container process lacking special capabilities.
  4. Kernel Page Cache Corruption: The exploit performs a controlled 4-byte overwrite within the kernel page cache, corrupting sensitive kernel-managed data.
  5. Privilege Escalation: The attacker escalates their process to UID 0, obtaining full root privileges on the compromised system.

Linux's prevalence in cloud environments makes CVE-2026-31431 a significant risk. Kaspersky's analysis shows its serious effects on containerized environments. By default, Docker, LXC, and Kubernetes configurations grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel. This access allows for Copy Fail exploitation, risking breaches of container isolation and control over the underlying physical machine. Identifying such breaches requires strong breach detection capabilities.

Detecting Copy Fail exploitation is difficult. The exploit uses only legitimate system calls, making it hard to distinguish malicious activity from normal application behavior. This stealthy nature complicates dark web monitoring service efforts if discussions about advanced exploitation techniques appear on illicit forums. For organizations dealing with an LPE leading to full system compromise, real-time ransomware intelligence and a live ransomware API become essential for understanding potential follow-on attacks, especially if root access is used to deploy ransomware.

Mitigation and Patches

Applying the available patches immediately is the most effective mitigation for CVE-2026-31431. Affected Linux distributions have pushed updates to address this vulnerability. Organizations should prioritize updating their Linux kernel to one of the fixed versions:

  • Linux kernel 6.18.22
  • Linux kernel 6.19.12
  • Linux kernel 7.0

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply these fixes by May 15, 2026. This deadline shows the vulnerability's critical nature and the urgency of its remediation. Timely patching is vital for supply-chain risk monitoring, ensuring that underlying components do not introduce exploitable weaknesses.

If immediate patching is not feasible, organizations can implement several workarounds to reduce exposure to CVE-2026-31431:

  • Disable the affected feature: While not detailed in the source, this generally refers to isolating or removing the specific kernel module or functionality that exposes the vulnerability if possible without impacting critical operations.
  • Implement network isolation: Restricting network access for vulnerable systems can limit the initial access vectors an attacker might chain with Copy Fail, especially relevant for containerized workloads.
  • Apply stringent access controls: Ensuring that only necessary users have local access to Linux systems, and enforcing the principle of least privilege, can significantly reduce the attack surface.

Organizations should also regularly scan their environments for vulnerabilities and use a cyber threat intelligence platform to stay informed about newly disclosed and actively exploited flaws. Proactive breach detection systems are also important for identifying any signs of exploitation attempts that might bypass preventative measures. This proactive approach helps manage underground forum intelligence where new exploits might be discussed, even if CVE-2026-31431 PoCs were found in open-source repositories. Regularly auditing and updating systems, especially those in critical infrastructure or containerized deployments, is essential to prevent local privilege escalation.

Technical Takeaways

  • CVE-2026-31431 (CVSS 7.8), known as Copy Fail, is a local privilege escalation flaw in the Linux kernel.
  • It allows unprivileged local users to gain root access by corrupting the kernel's in-memory page cache.
  • The vulnerability is actively exploited, with PoCs available in Python, Go, and Rust.
  • Affected Linux kernel versions since 2017 require updates to 6.18.22, 6.19.12, or 7.0.
  • Impact extends to cloud and containerized environments due to default access to the AF_ALG subsystem.
  • Exploitation involves a low-privilege local attack and can be chained with initial access vectors like SSH or container footholds.