{"id":787,"date":"2026-05-03T07:04:02","date_gmt":"2026-05-03T07:04:02","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=787"},"modified":"2026-05-03T07:04:02","modified_gmt":"2026-05-03T07:04:02","slug":"cisa-adds-actively-exploited-linux-root-access-bug-cve-2026-31431-to-kev","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=787","title":{"rendered":"CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 03, 2026<\/span><\/span>Vulnerability \/ Container Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added<\/a> a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV<\/a>) catalog, citing evidence of active exploitation in the wild.<\/p>\n

The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail<\/strong> by Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.<\/p>\n

\u00abLinux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation,\u00bb CISA said in an advisory.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

In a write-up published earlier this week, the researchers said Copy Fail<\/a> is the result of a logic bug in the Linux kernel’s authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.<\/p>\n

The high-severity security vulnerability impacts<\/a> Linux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel’s in-memory page cache<\/a> of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root permissions.<\/p>\n

\u00abBecause the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,\u00bb Google-owned Wiz said<\/a>. \u00abThis enables attackers to inject code into privileged binaries (e.g., \/usr\/bin\/su) and thereby gain root privileges.\u00bb<\/p>\n

The prevalence of Linux in cloud environments means the vulnerability has a significant impact. Kaspersky, in its analysis of the flaw, said Copy Fail poses a serious risk to containerized environments, as Docker, LXC, and Kubernetes \u00abgrant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel\u00bb by default.<\/p>\n

\"\"<\/a><\/div>\n

\u00abCopy Fail poses a risk of breaching container isolation and gaining control over the physical machine,\u00bb the Russian security vendor said<\/a>. \u00abAt the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.\u00bb<\/p>\n

\u00abDetecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.\u00bb<\/p>\n

Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust versions of the original Python implementation have already been detected in open-source repositories.\u00a0<\/p>\n

CISA did not share any details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it’s \u00abseeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days.\u00bb<\/p>\n

\u00abThe attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,\u00bb it added<\/a>. \u00abCritically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The tech giant has also detailed one possible route attackers could take to exploit the vulnerability –<\/p>\n

    \n
  • Conduct reconnaissance to identify a Linux host or container running a kernel version susceptible to Copy Fail.<\/li>\n
  • Prepare a small Python trigger for use against the endpoint.<\/li>\n
  • Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.<\/li>\n
  • Exploit performs a controlled 4\u2011byte overwrite in the kernel page cache, leading to corruption of sensitive kernel\u2011managed data.<\/li>\n
  • Attacker escalates their process to UID 0 and obtain full root privileges.<\/li>\n<\/ul>\n

    Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls.\u00a0<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    \ue804Ravie Lakshmanan\ue802May 03, 2026Vulnerability \/ Container Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known…<\/p>\n","protected":false},"author":1,"featured_media":788,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[130,201,200,610,62,1507,128,203,181,61],"class_list":["post-787","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-access","tag-actively","tag-adds","tag-bug","tag-cisa","tag-cve202631431","tag-exploited","tag-kev","tag-linux","tag-root"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=787"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/787\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/788"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}