CISA added CVE-2026-31431—known as Copy Fail—to its Known Exploited Vulnerabilities catalog after observing active exploitation of a local privilege escalation bug in the Linux kernel that can allow an unprivileged user to obtain root; fixes are available in kernel versions 6.18.22, 6.19.12, and 7.0. This flaw, introduced by changes made between 2011 and 2017 and weaponized with trivial PoC exploits in Python (and ported to Go and Rust), poses a serious risk to containerized and cloud environments and prompted FCEB agencies to apply patches by May 15, 2026. #CVE-2026-31431 #CopyFail
Keypoints
- CVE-2026-31431 (Copy Fail) is a local privilege escalation in the Linux kernel that can let unprivileged users obtain root.
- CISA added the vulnerability to its KEV catalog after evidence of active exploitation in the wild.
- Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0, with FCEB agencies advised to patch by May 15, 2026.
- The exploit corrupts the kernel page cache to modify executables at runtime and has trivial PoC implementations in Python, Go, and Rust.
- Containerized and cloud hosts are especially at risk because the flaw can be chained from container or SSH footholds to break isolation and gain host root.
Read More: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html