The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a not too long ago disclosed security flaw impacting varied Linux distributions to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerability, tracked as CVE-2026-31431 (CVSS rating: 7.8), is a case of native privilege escalation (LPE) flaw that would enable an unprivileged native person to acquire root. The nine-year-old flaw can also be tracked as Copy Fail by Theori and Xint. Fixes have been made out there in Linux kernel variations 6.18.22, 6.19.12, and seven.0.
“Linux Kernel comprises an incorrect useful resource switch between spheres vulnerability that would enable for privilege escalation,” CISA stated in an advisory.
In a write-up revealed earlier this week, the researchers stated Copy Fail is the results of a logic bug within the Linux kernel’s authentication cryptographic template that permits an attacker to reliably set off privilege escalation trivially by way of a 732-byte Python-based exploit. It was launched by way of three separate, individually innocent adjustments to the Linux kernel made in 2011, 2015, and 2017.
The high-severity security vulnerability impacts Linux distributions shipped since 2017, and permits an unprivileged native person to acquire root-level entry by corrupting the kernel’s in-memory web page cache of any readable file, together with setuid binaries. This corruption could possibly be carried out by unprivileged customers and will end in code execution with root permissions.
“As a result of the web page cache represents the in-memory model of executables, modifying it successfully alters binaries at execution time with out touching disk,” Google-owned Wiz stated. “This allows attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby acquire root privileges.”
The prevalence of Linux in cloud environments means the vulnerability has a major affect. Kaspersky, in its evaluation of the flaw, stated Copy Fail poses a severe danger to containerized environments, as Docker, LXC, and Kubernetes “grant processes inside a container entry to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel” by default.
“Copy Fail poses a danger of breaching container isolation and gaining management over the bodily machine,” the Russian security vendor stated. “On the similar time, exploitation doesn’t require using complicated strategies, corresponding to race circumstances or reminiscence handle guessing, which lowers the entry barrier for a possible attacker.”
“Detecting the assault is tough as a result of the exploit makes use of solely official system calls, that are exhausting to tell apart from regular software conduct.”
Including to the urgency is the provision of a totally working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust variations of the unique Python implementation have already been detected in open-source repositories.
CISA didn’t share any particulars about how the vulnerability is being exploited within the wild. Nonetheless, the Microsoft Defender Safety Analysis Workforce stated it is “seeing preliminary testing exercise that may end result most certainly in elevated menace actor exploitation over the following few days.”
“The assault vector is native (AV:L) and requires low privileges with no person interplay, that means any unprivileged person on a weak system can try exploitation,” it added. “Critically, this vulnerability will not be remotely exploitable in isolation, however turns into extremely impactful when chained with an preliminary entry vector corresponding to Safe Shell (SSH) entry, malicious CI job execution, or container footholds.”
The tech large has additionally detailed one doable route attackers may take to take advantage of the vulnerability –
- Conduct reconnaissance to determine a Linux host or container working a kernel model prone to Copy Fail.
- Put together a small Python set off to be used towards the endpoint.
- Execute the exploit from a low-privilege context, both as an everyday Linux person on a bunch or a compromised container course of with no particular capabilities.
- Exploit performs a managed 4‑byte overwrite within the kernel web page cache, resulting in corruption of delicate kernel‑managed knowledge.
- Attacker escalates their course of to UID 0 and procure full root privileges.
Federal Civilian Govt Department (FCEB) businesses have been suggested to use the fixes by Could 15, 2026, as updates have been pushed by impacted Linux distributions. If patching will not be an instantaneous possibility, organizations are advisable to disable the affected function, implement community isolation, and apply entry controls.
