The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a just lately disclosed safety flaw impacting numerous Linux distributions to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The vulnerability, tracked as CVE-2026-31431 (CVSS rating: 7.8), is a case of native privilege escalation (LPE) flaw that might permit an unprivileged native consumer to acquire root. The nine-year-old flaw can be tracked as Copy Fail by Theori and Xint. Fixes have been made out there in Linux kernel variations 6.18.22, 6.19.12, and seven.0.
“Linux Kernel incorporates an incorrect useful resource switch between spheres vulnerability that might permit for privilege escalation,” CISA stated in an advisory.
In a write-up revealed earlier this week, the researchers stated Copy Fail is the results of a logic bug within the Linux kernel’s authentication cryptographic template that permits an attacker to reliably set off privilege escalation trivially via a 732-byte Python-based exploit. It was launched via three separate, individually innocent adjustments to the Linux kernel made in 2011, 2015, and 2017.
The high-severity safety vulnerability impacts Linux distributions shipped since 2017, and permits an unprivileged native consumer to acquire root-level entry by corrupting the kernel’s in-memory web page cache of any readable file, together with setuid binaries. This corruption could possibly be carried out by unprivileged customers and will lead to code execution with root permissions.
“As a result of the web page cache represents the in-memory model of executables, modifying it successfully alters binaries at execution time with out touching disk,” Google-owned Wiz stated. “This permits attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby acquire root privileges.”
The prevalence of Linux in cloud environments means the vulnerability has a major influence. Kaspersky, in its evaluation of the flaw, stated Copy Fail poses a critical danger to containerized environments, as Docker, LXC, and Kubernetes “grant processes inside a container entry to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel” by default.
“Copy Fail poses a danger of breaching container isolation and gaining management over the bodily machine,” the Russian safety vendor stated. “On the similar time, exploitation doesn’t require using complicated strategies, akin to race circumstances or reminiscence deal with guessing, which lowers the entry barrier for a possible attacker.”
“Detecting the assault is tough as a result of the exploit makes use of solely professional system calls, that are laborious to differentiate from regular software habits.”
Including to the urgency is the supply of a completely working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust variations of the unique Python implementation have already been detected in open-source repositories.
CISA didn’t share any particulars about how the vulnerability is being exploited within the wild. Nonetheless, the Microsoft Defender Safety Analysis Workforce stated it is “seeing preliminary testing exercise which may end result more than likely in elevated menace actor exploitation over the following few days.”
“The assault vector is native (AV:L) and requires low privileges with no consumer interplay, that means any unprivileged consumer on a weak system can try exploitation,” it added. “Critically, this vulnerability will not be remotely exploitable in isolation, however turns into extremely impactful when chained with an preliminary entry vector akin to Safe Shell (SSH) entry, malicious CI job execution, or container footholds.”
The tech large has additionally detailed one potential route attackers might take to use the vulnerability –
- Conduct reconnaissance to determine a Linux host or container operating a kernel model inclined to Copy Fail.
- Put together a small Python set off to be used towards the endpoint.
- Execute the exploit from a low-privilege context, both as an everyday Linux consumer on a number or a compromised container course of with no particular capabilities.
- Exploit performs a managed 4‑byte overwrite within the kernel web page cache, resulting in corruption of delicate kernel‑managed information.
- Attacker escalates their course of to UID 0 and acquire full root privileges.
Federal Civilian Govt Department (FCEB) businesses have been suggested to use the fixes by Might 15, 2026, as updates have been pushed by impacted Linux distributions. If patching will not be a direct choice, organizations are advisable to disable the affected function, implement community isolation, and apply entry controls.
