Menace actors are exploiting a just lately disclosed Linux kernel vulnerability resulting in root shell entry, the US cybersecurity company CISA warns.
Tracked as CVE-2026-31431 and dubbed Copy Fail, the security defect lurked for nearly a decade, impacting all Linux distributions since 2017.
Affecting the kernel’s authencesn AEAD template, the bug permits authenticated attackers with code execution privileges to change the cache web page of readable setuid-root binaries to raise privileges to root.
Copy Fail was disclosed on April 29, and CISA added it to its Identified Exploited Vulnerabilities (KEV) catalog on Friday, urging federal businesses to patch it inside two weeks.
Whereas CISA has not shared particulars on the noticed exploitation, Microsoft mentioned on Friday that it has noticed solely restricted in-the-wild exploitation, primarily surrounding proof-of-concept (PoC) testing.
However, the tech large warns that, regardless of the minimal present exercise focusing on it, CVE-2026-31431 has broad applicability, and a working PoC exploit has been launched, which ought to elevate concern amongst defenders.
“Profitable exploitation results in full root privilege escalation (excessive affect to confidentiality, integrity, and availability) and will facilitate container breakout, multi-tenant compromise, and lateral motion inside shared environments,” Microsoft notes.
“Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it notably harmful in cloud, CI/CD, and Kubernetes environments the place untrusted code execution is widespread,” the corporate says.
Copy Fail, Microsoft warns, will be exploited by any native, unprivileged person, and will be chained with Safe Shell (SSH) entry, malicious CI jobs, or entry to containers to attain root shell entry.
An assault chain would start with reconnaissance to establish a container working a susceptible kernel and proceed with the execution of a small script to overwrite in-memory knowledge and elevate privileges.
Based on Microsoft, organizations ought to prioritize figuring out probably susceptible machines of their environments, apply patches, isolate the methods, apply entry controls, and assessment logs for indicators of exploitation.
