Bright Nexus

Published on May 3, 2026

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

Severity
Medium

Detail

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation in the wild.

The flaw, also known as Copy Fail, is a local privilege escalation (LPE) vulnerability affecting multiple Linux distributions. With a CVSS score of 7.8, it allows an unprivileged local user to gain full root access on affected systems. The issue originates from a logic flaw in the Linux kernel’s authentication cryptographic component and has been present for nearly nine years, introduced through changes made between 2011 and 2017.

The vulnerability impacts Linux systems released since 2017 and poses significant risks, especially in cloud and containerized environments where Linux is widely used. Security researchers have highlighted that exploitation is relatively simple and does not require advanced techniques.

How?

The vulnerability stems from improper handling of resource transfer within the Linux kernel, enabling attackers to manipulate the in-memory page cache. This allows modification of executable files during runtime without altering them on disk.

An attacker with low-level access (e.g., a regular user or compromised container process) can execute a small exploit reportedly as little as a 732-byte Python script to corrupt the kernel’s page cache. By targeting privileged binaries such as /usr/bin/su, attackers can inject malicious code and escalate privileges to root (UID 0).

The attack does not require user interaction and can be executed locally with minimal privileges. While it is not remotely exploitable on its own, it becomes highly dangerous when combined with initial access vectors such as SSH access, malicious CI/CD jobs, or container breaches.

In containerized environments, the risk is even greater. Since platforms like Docker and Kubernetes may expose certain kernel subsystems by default, attackers can potentially escape container isolation and gain control of the underlying host system.

Detection is difficult because the exploit relies solely on legitimate system calls, making malicious activity blend in with normal operations. Additionally, proof-of-concept (PoC) exploits are publicly available in multiple programming languages, lowering the barrier for exploitation.

Conclusion

The inclusion of CVE-2026-31431 in CISA’s KEV catalog highlights the severity and active exploitation of this long-standing Linux kernel flaw. Its ease of exploitation, combined with the widespread use of Linux in cloud and container environments, makes it a high-risk vulnerability.

Organizations are strongly advised to apply security patches immediately or implement mitigation measures such as disabling affected features, restricting access, and isolating vulnerable systems. This case underscores the importance of timely patching and layered security, especially for vulnerabilities that can lead to full system compromise with minimal effort.

Source

https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html