The U.S. Cybersecurity and Infrastructure Security Agency on Friday added a known exploited vulnerability advisory for CVE-2026-31431, a Linux kernel flaw that can let a local user gain root access, after citing evidence of active exploitation in the wild.
KEY FACTS
- Vulnerability CVE-2026-31431 is a local privilege escalation flaw in the Linux kernel with a CVSS score of 7.8.
- Impact An unprivileged local user could obtain root-level access and potentially execute code with root permissions.
- Fixes Patches are available in Linux kernel versions 6.18.22, 6.19.12 and 7.0.
- Scope The issue affects Linux distributions shipped since 2017 and is also referred to as Copy Fail.
- Deadline Federal Civilian Executive Branch agencies were told to apply fixes by May 15, 2026.
A technical analysis from CERT-EU said the flaw stems from a logic bug in the Linux kernel’s authentication cryptographic template. The report said the bug can be triggered with a 732-byte Python exploit and was introduced through separate changes in 2011, 2015 and 2017.
The disclosure said the vulnerability can corrupt the kernel page cache of readable files, including setuid binaries, which can allow attackers to alter code in memory before execution. Kaspersky said the issue may also threaten containerized environments because processes inside containers can access the AF_ALG subsystem if the algif_aead module is loaded in the host kernel.
Microsoft said it has seen preliminary testing activity and warned that threat actors may increase exploitation in the coming days. The company said the attack is local and not remotely exploitable on its own, but it could become more serious when paired with access gained through SSH, malicious CI jobs or container footholds.
System operators are being urged to patch vulnerable hosts or disable the affected feature if updates are not possible. Network isolation and access controls were also recommended for systems that cannot be updated right away.
WHY IT MATTERS
Linux is widely used in cloud and container environments, so a flaw that can turn a low-privilege local user into root can have broad operational impact. The presence of working exploit code and signs of active abuse raise the urgency for patching affected systems.

