2026-05-03 00:00
β BackThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Fridayaddeda recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked asCVE-2026-31431(CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked asCopy Failby Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. "Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation," CISA said in an advisory. In a write-up published earlier this week, the researchers saidCopy Failis the result of a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.
The high-severity security vulnerabilityimpactsLinux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel's in-memorypage cacheof any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Fridayaddeda recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked asCVE-2026-31431(CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked asCopy Failby Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. "Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation," CISA said in an advisory. In a write-up published earlier this week, the researchers saidCopy Failis the result of a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.
The high-severity security vulnerabilityimpactsLinux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel's in-memorypage cacheof any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root permissions. "Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk," Google-owned Wizsaid. "This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges." The prevalence of Linux in cloud environments means the vulnerability has a significant impact. Kaspersky, in its analysis of the flaw, said Copy Fail poses a serious risk to containerized environments, as Docker, LXC, and Kubernetes "grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel" by default. "Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine," the Russian security vendorsaid. "At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker." "Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior." Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust versions of the original Python implementation have already been detected in open-source repositories. CISA did not share any details about how the vulnerability is being exploited in the wild.
However, the Microsoft Defender Security Research Team said it's "seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days." "The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation," itadded. "Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds." The tech giant has also detailed one possible route attackers could take to exploit the vulnerability - Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls. Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points. Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.