CISA Adds Critical Linux Root Access Vulnerability to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux privilege escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 and known as 'Copy Fail,' represents a significant security risk affecting numerous Linux distributions and containerized environments worldwide.

Critical Vulnerability Details

CVE-2026-31431 carries a CVSS score of 7.8 and represents a local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root access on vulnerable systems. Despite being nine years old, the vulnerability has only recently gained attention due to the development of a reliable exploit. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0, according to CISA's advisory.

"Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation," CISA stated in their official notice.

Technical Analysis of the Flaw

The vulnerability stems from a logic bug in the Linux kernel's authentication cryptographic template. According to researchers at Theori and Xint, the flaw was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017. "Copy Fail is the result of a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit," the researchers explained.

The vulnerability permits an unprivileged local user to obtain root-level access by corrupting the kernel's in-memory page cache of any readable file, including setuid binaries. This corruption can be carried out by unprivileged users and could result in code execution with root permissions.

"Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk," explained researchers from Google-owned Wiz. "This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges."

Impact on Containerized Environments

The prevalence of Linux in cloud and container environments significantly amplifies the vulnerability's impact. Kaspersky, in its analysis of the flaw, highlighted specific risks to containerized environments.

"Docker, LXC, and Kubernetes grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel by default," Kaspersky noted. "Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine."

The security vendor emphasized that exploitation doesn't require complex techniques like race conditions or memory address guessing, which lowers the barrier for potential attackers. "Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior," they added.

Active Exploitation and PoC Availability

Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC). Kaspersky has stated that Go and Rust versions of the original Python implementation have already been detected in open-source repositories, indicating the vulnerability is being actively weaponized.

CISA did not share specific details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team reported observing "preliminary testing activity that might result most likely in increased threat actor exploitation over the next days."

Microsoft outlined a potential attack vector:

1. Reconnaissance to identify vulnerable Linux hosts or containers
2. Preparation of a small Python trigger for the endpoint
3. Execution from a low-privilege context (regular user or compromised container)
4. The exploit performs a controlled 4-byte overwrite in the kernel page cache
5. This leads to corruption of sensitive kernel-managed data
6. The attacker escalates to UID 0 and obtains full root privileges

Mitigation Recommendations

Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. For organizations unable to patch immediately, CISA recommends several compensating controls:

• Disabling the affected feature
• Implementing network isolation
• Applying strict access controls
• Monitoring for suspicious activity related to page cache manipulation

The Microsoft Defender team emphasized that while the vulnerability is not remotely exploitable in isolation, it becomes highly impactful when chained with initial access vectors such as SSH access, malicious CI job execution, or container footholds.

Broader Implications

The addition of this vulnerability to the KEV catalog underscores the persistent nature of certain security flaws and the challenges of maintaining secure systems, especially in complex environments like cloud infrastructure and containerized applications. The fact that a nine-year-old vulnerability remains exploitable highlights the importance of regular patching and system maintenance.

Security experts recommend that organizations prioritize patching for this vulnerability given the availability of working exploits and the potential for complete system compromise. The particularly dangerous implications for container environments should prompt additional review of isolation controls in Kubernetes, Docker, and other containerization platforms.

For more technical details about the vulnerability, organizations can refer to Theori's research and Kaspersky's analysis of the flaw.