CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

Summary

CISA has added CVE-2026-31431, also known as "Copy Fail," to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This local privilege escalation (LPE) vulnerability allows unprivileged users to obtain root access by corrupting the Linux kernel's in-memory page cache.

Key Points

• CVE ID: CVE-2026-31431 (CVSS Score: 7.8).
• Affected Systems: Linux distributions shipped since 2017.
• Fixed Versions: Linux kernel versions 6.18.22, 6.19.12, and 7.0.
• Exploit Mechanism: A 732-byte Python-based exploit (with Go and Rust implementations also available) that performs a controlled 4-byte overwrite in the kernel page cache.
• Attack Vector: Local (AV:L); requires no user interaction and can be executed by any unprivileged user or compromised container process.
• Container Risk: High risk to Docker, LXC, and Kubernetes environments if the algif_aead module is loaded into the host kernel, potentially breaching container isolation.

Technical Details

The "Copy Fail" vulnerability is a logic bug within the Linux kernel's authentication cryptographic template, resulting from three separate, individually harmless changes implemented between 2011 and 2017. The flaw enables an incorrect resource transfer between spheres, allowing an attacker to corrupt the kernel's in-memory page cache for any readable file, including setuid binaries. Because the page cache represents the in-memory version of executables, an attacker can modify the cache to inject code into privileged binaries (e.g., /usr/bin/su) at execution time without altering the underlying files on disk.

Detection is difficult because the exploit utilizes legitimate system calls that are indistinguishable from normal application behavior. While the vulnerability is not remotely exploitable in isolation, it becomes highly impactful when chained with initial access vectors such as SSH access, malicious CI/CD job execution, or compromised container footholds. In containerized environments, the vulnerability specifically targets the AF_ALG subsystem, which is accessible to processes in Docker, LXC, and Kubernetes if the algif_aead module is active on the host.

Impact / Why It Matters

Developers and system administrators must prioritize kernel updates to prevent unprivileged users or compromised containerized processes from gaining full root control over the host. In scenarios where patching is not immediately feasible, organizations should implement strict access controls, network isolation, and disable the affected features to mitigate the risk of privilege escalation.