CVE-2026-31431 — a nine-year-old Linux kernel bug that researchers say can be triggered by a 732-byte Python-based exploit — was added Friday to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog after evidence of active exploitation in the wild.
CVE-2026-31431 (Copy Fail): what the bug does
The vulnerability, tracked as CVE-2026-31431 with a CVSS score of 7.8, is a local privilege escalation (LPE) flaw that “could allow an unprivileged local user to obtain root,” CISA said in its advisory. Researchers who named the flaw Copy Fail (Theori and Xint) describe it as a logic bug in the Linux kernel’s authentication cryptographic template. According to their write-up, the flaw was introduced via three separate kernel changes made in 2011, 2015, and 2017.
Copy Fail permits an unprivileged user to corrupt the kernel’s in-memory page cache of any readable file — including setuid binaries — and thereby achieve code execution with root permissions. As Google-owned Wiz explained, “because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,” enabling attackers to inject code into privileged binaries such as /usr/bin/su.
Evidence of exploitation and attacker activity
CISA added the bug to its KEV catalog citing evidence of active exploitation. The agency did not provide technical details about specific intrusions. The Microsoft Defender Security Research Team reported “preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days,” and warned that the exploit vector is local (AV:L), requires low privileges, and needs no user interaction.
Microsoft also outlined a likely attack route: reconnaissance to find a vulnerable kernel, preparing a small Python trigger, executing the exploit from a low‑privilege context (host user or compromised container process), a controlled 4‑byte overwrite in the kernel page cache that corrupts kernel‑managed data, followed by escalation to UID 0 to obtain root privileges.
Cloud and container risk: Kaspersky’s analysis
Security vendor Kaspersky emphasized the vulnerability’s significance for cloud environments. Kaspersky said Copy Fail “poses a risk of breaching container isolation and gaining control over the physical machine.” The company noted Docker, LXC, and Kubernetes “grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel” by default — a configuration that can lower the barrier for exploitation inside containers.
Kaspersky added that exploitation “does not require the use of complex techniques, such as race conditions or memory address guessing,” and that detection is difficult “because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.”
Exploit availability, detection challenges, and fixes
Researchers published a working proof-of-concept; Kaspersky said Go and Rust versions of the original Python implementation have already been detected in open-source repositories. That availability, combined with the low technical barrier described by vendors, is a driver of the urgency surrounding mitigation.
Fixes have been released in Linux kernel versions 6.18.22, 6.19.12, and 7.0. CISA’s advisory directed Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 15, 2026. For organizations unable to patch immediately, CISA recommended disabling the affected feature, implementing network isolation, and applying access controls.
What this means for FCEB agencies, cloud operators, and security teams
- FCEB agencies: apply the kernel fixes by May 15, 2026, per CISA guidance; if patching is not possible, use the recommended compensating controls (disable the feature, network isolation, access controls).
- Cloud and container operators: prioritize assessing whether the host kernel loads algif_aead and whether containers have access to AF_ALG; Kaspersky’s analysis highlights that default container configurations can expose the AF_ALG subsystem to contained processes.
- Security teams and defenders: watch for public PoCs in Python, Go, and Rust repositories and treat attempts that leverage local access or container footholds as high risk because the vulnerability can be chained with initial access methods such as SSH, malicious CI job execution, or container compromise.
The facts in this case are stark: a long‑standing kernel logic bug, active evidence of exploitation, a tiny working exploit, and published fixes. Organizations that cannot install the kernel updates immediately must assume the vulnerability can be weaponized from low-privilege contexts and take the compensating steps CISA recommends while tracking public exploit variants and testing mitigations.
