CISA Adds Actively Exploited Linux Root Access Vulnerability to Known Exploited Vulnerabilities Catalog
- May 3
- 2 min read
Key Findings
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild
The Linux kernel flaw allows unprivileged local users to gain root-level access through a 732-byte Python exploit
Nine-year-old vulnerability resulted from three separate kernel changes made in 2011, 2015, and 2017 that individually seemed harmless
Patches available in Linux kernel versions 6.18.22, 6.19.12, and 7.0
Federal agencies must apply fixes by May 15, 2026
Go and Rust exploit variants already detected in open-source repositories
Background
CVE-2026-31431, also known as Copy Fail, is a local privilege escalation vulnerability affecting Linux distributions shipped since 2017. The flaw carries a CVSS score of 7.8 and impacts the Linux kernel's authentication cryptographic template. Researchers at Theori and Xint discovered that the vulnerability stemmed from a logic bug introduced through three separate kernel modifications made over a six-year period, none of which appeared problematic on their own.
How the Exploit Works
Copy Fail exploits a critical weakness in how the Linux kernel manages its in-memory page cache. By corrupting this cache of readable files, attackers can modify binaries at execution time without touching the disk. This means an attacker can inject malicious code into privileged binaries like /usr/bin/su and execute it with root permissions. The attack requires only legitimate system calls, making it difficult to detect and allowing attackers to hide their activity among normal application behavior.
Container and Cloud Environment Risks
The prevalence of Linux in cloud infrastructure amplifies the danger. Kaspersky identified that Docker, LXC, and Kubernetes containers grant processes access to the AF_ALG subsystem by default if the algif_aead module is loaded on the host kernel. This creates a direct path for attackers to breach container isolation and compromise the underlying physical machine. The low entry barrier for exploitation—no race conditions or memory address guessing needed—makes this particularly concerning for cloud environments.
Current Threat Activity
Microsoft Defender Security Research Team reported preliminary testing activity suggesting threat actors may increase exploitation attempts in coming days. While CISA hasn't disclosed specific details about current wild exploitation, the availability of fully functional exploit proof-of-concept code in multiple programming languages accelerates the threat timeline. The vulnerability cannot be exploited remotely in isolation but becomes dangerous when combined with initial access vectors like SSH access, malicious CI job execution, or container footholds.
Exploitation Path
Attackers typically follow a straightforward process: identify vulnerable Linux hosts or containers, prepare a Python trigger, execute from a low-privilege context, perform a controlled four-byte overwrite in the kernel page cache to corrupt sensitive kernel data, and escalate their process to UID 0 for full root access. The simplicity and reliability of this attack chain make it accessible to threat actors with varying skill levels.
Recommended Actions
Organizations unable to patch immediately should disable the affected feature, implement network isolation, and apply strict access controls. Federal agencies face a May 15, 2026 deadline for applying updates. Given the active exploitation and ease of weaponization, prioritizing patching across Linux infrastructure is critical.
Sources
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
https://x.com/TheCyberSecHub/status/2050830019090641042
https://x.com/shah_sheikh/status/2050830020487315814

Comments