The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw affecting various Linux distributions to its Known Exploitable Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of Local Privilege Elevation (LPE) flaw that could allow a disenfranchised local user to obtain root. Nine year old flaw has also been tracked copy failed By Theory and Zint. Improvements are made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
“The vulnerability in the Linux kernel involves incorrect resource transfer between areas that could allow privilege escalation,” CISA said in an advisory.
In an article published earlier this week, researchers said the copy fail is the result of a logic bug in the Linux kernel’s authentication cryptographic template that allows an attacker to trigger privilege escalation via a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel in 2011, 2015, and 2017.
The high-severity security vulnerability affects Linux distributions shipped since 2017, and allows a unprivileged local user to gain root-level access by corrupting the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption can be performed by unprivileged users and result in code execution with root permissions.
Google-owned Wiz said, “Since the page cache represents an in-memory version of the executable, modifying it effectively replaces the binaries at the time of execution without touching the disk.” “This enables attackers to inject code into unprivileged binaries (for example, /usr/bin/su) and thereby gain root privileges.”
The prevalence of Linux in cloud environments means that vulnerabilities have significant implications. Kaspersky said in its analysis of the flaw that the copy fail poses a serious threat to containerized environments, because Docker, LXC and Kubernetes by default “provide access to the AF_ALG subsystem to processes inside the container if the algif_add module is loaded into the host kernel”.
“Copy failure creates a risk of breaking container isolation and gaining control of the physical machine,” the Russian security vendor said. “At the same time, the exploit does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.”
“The attack is difficult to detect because the exploit uses only legitimate system calls, which are difficult to distinguish from normal application behavior.”
Adding to the urgency of the availability of a fully working exploit proof-of-concept (PoC), Kaspersky said that Go and Rust versions of the native Python implementation have already been found in open-source repositories.
CISA did not share any details about how the vulnerability was being exploited in the wild. However, the Microsoft Defender Security Research team said it is seeing “initial testing activity that is likely to result in increased threat actor exploitation over the next few days.”
“The attack vector is local (AV:L) and requires minimal privileges, with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,” it says. “Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or a container foothold.”
The tech giant has also elaborated on a possible route that attackers could take to exploit the vulnerability –
- Conduct reconnaissance to identify Linux hosts or containers running kernel versions vulnerable to copy failure.
- Create a small Python trigger for use against the endpoint.
- Execute the exploit from a low-privilege context, either as a regular Linux user on the host or as a compromised container process without any special capabilities.
- The exploit causes a controlled 4‑byte overwrite in the kernel page cache, corrupting sensitive kernel‑managed data.
- The attacker elevates his process to UID 0 and gains full root privileges.
Federal Civil Executive Branch (FCEB) agencies have been advised to implement the fix by May 15, 2026, as the updates have been pushed back due to affected Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and implement access controls.
