top of page

CISA Adds Actively Exploited Linux Root Access Vulnerability to Known Exploited Vulnerabilities Catalog

  • May 3
  • 2 min read

Key Findings


  • CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild

  • The Linux kernel flaw allows unprivileged local users to gain root-level access through a 732-byte Python exploit

  • Nine-year-old vulnerability resulted from three separate kernel changes made in 2011, 2015, and 2017 that individually seemed harmless

  • Patches available in Linux kernel versions 6.18.22, 6.19.12, and 7.0

  • Federal agencies must apply fixes by May 15, 2026

  • Go and Rust exploit variants already detected in open-source repositories


Background


CVE-2026-31431, also known as Copy Fail, is a local privilege escalation vulnerability affecting Linux distributions shipped since 2017. The flaw carries a CVSS score of 7.8 and impacts the Linux kernel's authentication cryptographic template. Researchers at Theori and Xint discovered that the vulnerability stemmed from a logic bug introduced through three separate kernel modifications made over a six-year period, none of which appeared problematic on their own.


How the Exploit Works


Copy Fail exploits a critical weakness in how the Linux kernel manages its in-memory page cache. By corrupting this cache of readable files, attackers can modify binaries at execution time without touching the disk. This means an attacker can inject malicious code into privileged binaries like /usr/bin/su and execute it with root permissions. The attack requires only legitimate system calls, making it difficult to detect and allowing attackers to hide their activity among normal application behavior.


Container and Cloud Environment Risks


The prevalence of Linux in cloud infrastructure amplifies the danger. Kaspersky identified that Docker, LXC, and Kubernetes containers grant processes access to the AF_ALG subsystem by default if the algif_aead module is loaded on the host kernel. This creates a direct path for attackers to breach container isolation and compromise the underlying physical machine. The low entry barrier for exploitation—no race conditions or memory address guessing needed—makes this particularly concerning for cloud environments.


Current Threat Activity


Microsoft Defender Security Research Team reported preliminary testing activity suggesting threat actors may increase exploitation attempts in coming days. While CISA hasn't disclosed specific details about current wild exploitation, the availability of fully functional exploit proof-of-concept code in multiple programming languages accelerates the threat timeline. The vulnerability cannot be exploited remotely in isolation but becomes dangerous when combined with initial access vectors like SSH access, malicious CI job execution, or container footholds.


Exploitation Path


Attackers typically follow a straightforward process: identify vulnerable Linux hosts or containers, prepare a Python trigger, execute from a low-privilege context, perform a controlled four-byte overwrite in the kernel page cache to corrupt sensitive kernel data, and escalate their process to UID 0 for full root access. The simplicity and reliability of this attack chain make it accessible to threat actors with varying skill levels.


Recommended Actions


Organizations unable to patch immediately should disable the affected feature, implement network isolation, and apply strict access controls. Federal agencies face a May 15, 2026 deadline for applying updates. Given the active exploitation and ease of weaponization, prioritizing patching across Linux infrastructure is critical.


Sources


  • https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

  • https://x.com/TheCyberSecHub/status/2050830019090641042

  • https://x.com/shah_sheikh/status/2050830020487315814

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page