CISA adds Linux Copy Fail bug CVE-2026-31431 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-31431, known as Copy Fail, to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation. The flaw carries a CVSS score of 7.8 and can allow an unprivileged local user or process to obtain root. Kernel patches are available in versions 6.18.22, 6.19.12 and 7.0.

CISA described the bug as an ‘incorrect resource transfer between spheres’ in the Linux kernel that permits privilege escalation. Researchers who identified the vulnerability say it stems from a logic error in the kernel’s authentication cryptographic template introduced across three separate changes made in 2011, 2015 and 2017. The defect affects distributions shipped since 2017 and lets an attacker corrupt the kernel’s in-memory page cache for any readable file, including setuid binaries, without altering files on disk.

Because the page cache holds the in-memory version of executables, modifying it can change a binary at execution time. Security researchers produced a 732-byte Python proof-of-concept that triggers the flaw; ports in Go and Rust have appeared in public repositories. One vendor’s analysis noted the exploit performs a controlled four-byte overwrite in the kernel page cache that can corrupt kernel-managed data and escalate a process to UID 0.

Security firms flagged a heightened risk for containerized environments. Some container setups grant processes access to the AF_ALG cryptographic interface when the algif_aead kernel module is loaded on the host, which can allow code running inside a container to target the vulnerability and attempt a container escape to control the host.

Microsoft’s Defender team reported preliminary testing activity and expects exploitation to increase. The company outlined a likely attack path: identify a host or container running a vulnerable kernel, prepare a small trigger (for example a Python script), execute it from a low-privilege account or compromised container, and perform the overwrite that leads to privilege escalation. Microsoft noted the vector is local and requires no user interaction, and that the bug is not remotely exploitable on its own but can be combined with initial access methods such as SSH access, a malicious continuous integration job, or a compromised container.

Detecting exploitation is difficult because the attack uses legitimate system calls and standard kernel interfaces, which can resemble benign activity. The public availability of proof-of-concept code has been cited as a factor that could increase exploitation attempts.

Federal Civilian Executive Branch agencies were directed to apply available fixes by May 15, 2026. Vendors and distributions have begun rolling out updates that include the kernel fixes. For organizations unable to patch immediately, guidance includes disabling the affected feature where possible, implementing stronger network isolation, and restricting low-privilege access to vulnerable hosts and containers.