CISA Adds Actively Exploited Linux Root Access Vulnerability CVE-2026-31431 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a critical security vulnerability affecting multiple Linux distributions in its Known Exploited Vulnerabilities (KEV) catalog. This addition highlights the urgency surrounding the flaw, which has been confirmed to be actively exploited in the wild. The vulnerability, identified as CVE-2026-31431, has a CVSS score of 7.8, indicating a high severity level.

Overview of the Vulnerability

CVE-2026-31431 is classified as a local privilege escalation (LPE) vulnerability that allows unprivileged local users to gain root access. This flaw, referred to as “Copy Fail” by security researchers, has been present in the Linux kernel for nearly a decade. It stems from a logic bug in the kernel’s authentication cryptographic template, which can be exploited using a 732-byte Python-based exploit. The vulnerability was introduced through three separate changes to the Linux kernel made in 2011, 2015, and 2017.

CISA’s advisory states that the Linux kernel contains an incorrect resource transfer vulnerability that could facilitate privilege escalation. Fixes have been released in Linux kernel versions 6.18.22, 6.19.12, and 7.0, making it imperative for users to update their systems promptly.

Technical Implications

The vulnerability impacts Linux distributions released since 2017, allowing unprivileged users to corrupt the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption can lead to code execution with root permissions. The page cache represents the in-memory version of executables, making it possible for attackers to modify binaries at execution time without altering the disk.

According to Wiz, a cybersecurity firm, this vulnerability enables attackers to inject code into privileged binaries, such as /usr/bin/su, thereby gaining root privileges. The widespread use of Linux in cloud environments amplifies the potential impact of this vulnerability, particularly in containerized settings.

Risks to Containerized Environments

Kaspersky has emphasized the significant risks posed by Copy Fail to containerized environments. Technologies like Docker, LXC, and Kubernetes typically grant processes inside a container access to the AF_ALG subsystem by default, provided the algif_aead module is loaded into the host kernel. This default configuration can lead to breaches in container isolation, allowing attackers to gain control over the physical machine.

The ease of exploitation is particularly concerning. The attack does not require complex techniques, such as race conditions or memory address guessing, which lowers the barrier for potential attackers. Detection of such attacks is challenging because the exploit utilizes legitimate system calls that are difficult to distinguish from normal application behavior.

Exploit Availability and Threat Landscape

The urgency surrounding this vulnerability is heightened by the availability of a fully functional proof-of-concept (PoC) exploit. Kaspersky has reported that versions of the original Python exploit have already been detected in open-source repositories, including implementations in Go and Rust.

CISA has not disclosed specific details about how the vulnerability is being exploited in real-world scenarios. However, the Microsoft Defender Security Research Team has noted an increase in preliminary testing activity that may lead to heightened exploitation attempts in the coming days. The attack vector is local and requires low privileges, meaning any unprivileged user on a vulnerable system can attempt to exploit it.

The Microsoft team has pointed out that while the vulnerability is not remotely exploitable in isolation, it becomes significantly impactful when combined with initial access vectors such as Secure Shell (SSH) access, malicious continuous integration (CI) job execution, or container footholds.

Potential Exploitation Pathway

Security experts have outlined a potential pathway that attackers could follow to exploit this vulnerability:

1. Conduct reconnaissance to identify a Linux host or container running a kernel version vulnerable to Copy Fail.
2. Prepare a small Python trigger for use against the endpoint.
3. Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.
4. The exploit performs a controlled 4-byte overwrite in the kernel page cache, leading to corruption of sensitive kernel-managed data.
5. The attacker escalates their process to UID 0, obtaining full root privileges.

Recommendations for Mitigation

In light of this critical vulnerability, CISA has advised Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by May 15, 2026. Updates have already been pushed by affected Linux distributions. For organizations unable to patch immediately, it is recommended to disable the affected feature, implement network isolation, and apply stringent access controls.

As the cybersecurity landscape continues to evolve, the implications of vulnerabilities like CVE-2026-31431 underscore the importance of proactive security measures and timely updates to safeguard systems against potential exploitation.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.