The Cybersecurity and Infrastructure Security Agency (CISA) has added another Linux kernel vulnerability, CVE-2026-31431, also known as Copy Fail, to the Known Exploited Vulnerabilities (KEVs).
Inclusion in the list implies active real-world attacks and increases the priority of patches.
This particular vulnerability, which has been affecting almost all major Linux distributions since 2017, involves transferring resources incorrectly between security domains and allows local users to escalate privileges to root access.
Experts emphasize the danger associated with this vulnerability, especially because of its reliability, undetectability, and cross-environment nature. Threat actors can abuse this vulnerability to tamper with memory data without any traces on the disk.
Microsoft researchers said they have observed only limited in-the-wild exploitation, mainly surrounding proof-of-concept (PoC) testing. However, despite the minimal current activity targeting it, CVE-2026-31431 has broad applicability, and a working PoC exploit has been released, which should raise concern among defenders.
“Successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments,” Microsoft notes. “Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments where untrusted code execution is common,” the company says.
The real danger is in shared and containerized environments
Vishal Agarwal, CTO at Averlon, says once a vulnerability moves into active exploitation, it’s no longer theoretical, it becomes an immediate operational priority.
“Copy Fail is a reliable, portable privilege-escalation primitive across major Linux distributions. It doesn’t require race conditions or user interaction, so once an attacker gains any initial foothold, a compromised container, CI runner, or low-privilege account, they can consistently escalate to root on the host. That’s why this is a patch-now situation.
“The real danger is in shared and containerized environments. A vulnerability like this can break isolation boundaries, turning a limited compromise into full control of the underlying system and a path to lateral movement. That’s what makes this more than just another kernel issue.”
Broad reach with reliable exploitation
Ryan McCurdy, VP at Liquibase, adds that Copy Fail is an urgent patch because it allows an attacker to rapidly move from local access to root across the Linux systems that many IT infrastructures depend on Daily.
“With its addition to the KEV, CISA is signaling that this threat is no longer speculative. It’s dangerous, coupling broad reach with reliable exploitation across mainstream distributions. In environments like CI runners, container hosts, and shared Linux infrastructure, an initial foothold can become full compromise very quickly.”
Disable the vulnerable module as an operational priority
Uzair Gadit, CEO and Founder of Secure.com, says: “The logic error in the kernel’s cryptographic subsystem lets a local user add a small amount of controlled data into the kernel’s page cache as the first step to escalate privileges and hide. The risks are greatest in Linux environments where namespace isolation (which containers provide) is assumed to be adequate to protect tenants from one another.”
Gadit adds that the boundaries that hold are the ones that don’t share a kernel, such as AWS Lambda and Fargate, which run on Firecracker microVMs, with separate kernels per tenant and no shared page cache. “Cloudflare Workers run on V8 isolates, with no Linux kernel in the threat model at all. gVisor interposes a user-space kernel that does not share the host’s algif_aead.
“Development infrastructures, cloud and containerization, CI/CD pipelines and serverless and sandboxing Linux environments are all at immediate risk. Organizations should patch their kernel immediately, and any who can’t should disable the vulnerable module as a highest operational priority.”
Every major Linux distribution shipped since 2017 is affected
Jacob Krell, Senior Director, Secure AI Solutions & Cybersecurity, at Suzu Labs, comments: “Every major Linux distribution shipped since 2017 is affected, and the exploit is trivially simple to execute. It was demonstrated that root across Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16 was obtainable with a single Python script described as 100 percent reliable. When scope and simplicity converge like this, weaponization follows disclosure within hours. CISA adding CVE-2026-31431 to the KEV catalog and giving federal agencies a two week deadline confirms exactly that.”
The blast radius on Copy Fail is massive
Krell says: “Copy Fail exploits a logic flaw in the kernel crypto interface by writing four controlled bytes to the page cache of any readable file. That is all it takes to turn an unprivileged local account into root. The vulnerable module ships enabled by default in virtually every mainstream distribution and is rarely treated as meaningful attack surface. The blast radius on Copy Fail is massive.
“Once an attacker has root on a Linux server, the incident changes character. They gain the ability to hide persistence, modify binaries, interfere with logging, and use the system as a staging point for lateral movement. The question shifts from whether the host was vulnerable to whether the organization can still trust what that host is telling them. Security teams should prioritize kernel updates and apply vendor mitigations where immediate patching is not possible. Waiting turns a fixable vulnerability into a far more expensive eviction problem.”
A “patch right now” situation
David Brumley, Chief AI and Science Officer at Bugcrowd, says Copy Fail should be considered a “patch right now” situation because the public exploit is reliable and works on almost all active Linux systems.
“Two priority use cases for patching are container isolation and Linux privilege escalation. Any system using containers to provide isolation – whether it be in Kubernetes, products, as runners in DevOps – needs to update those systems ASAP because the exploit provides a container escape. Second, Linux systems that have active users, such as IT systems and developer systems. The public exploit will evaluate any normal user to root on every modern Linux system.”
A significant escalation
Jason Soroko, Senior Fellow at Sectigo, said this latest addition to KEV marks a significant escalation from theoretical risk to active compromise. “Inclusion on this list confirms that malicious actors have successfully weaponized CVE-2026-31431 against Linux environments and are actively deploying it in the wild. This official recognition serves as a strong mandate for immediate action. Standard patching cadences are no longer sufficient to protect the broader network infrastructure.
“The danger of this bug lies in its targeting of Linux endpoints and servers, which form the backbone of critical operations. A successful exploit in these environments often grants attackers deep access to highly sensitive data. I’d go as far as to say that security teams must treat this as an emergency because the window between a vulnerability entering the KEV and widespread automated exploitation is unusually narrow. Failing to patch immediately leaves organizations exposed to an active attack vector that adversaries are already utilizing to breach high-value targets.”
No forensic trail
Mayuresh Dani, Security Research Manager, at Qualys, adds: “Looking at the released proof-of-concept code, an unprivileged local attacker with a simple shell access and Python 3.10+ can get root in seconds. There is no stopping threat actors from adopting this proof-of-concept code to other portable and operating system independent languages and removing the python pre-requisite, leading to a complete system compromise. The vulnerability also does not leave a forensic trail as the kernel never marks the corrupted page dirty for writeback, making it difficult for defenders to detect.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.