Threat actors are exploiting a long-standing Linux kernel vulnerability, CVE-2026-31431 (dubbed Copy Fail), that allows authenticated users with code execution to modify in-memory cache pages of readable setuid-root binaries and obtain a root shell. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and urged rapid patching, while Microsoft warns a public proof-of-concept exists and the bug poses significant risk to cloud, CI/CD, and Kubernetes environments. #CVE-2026-31431 #CopyFail
Keypoints
- CVE-2026-31431 (Copy Fail) is a Linux kernel bug in the authencesn AEAD template present since 2017.
- The flaw lets authenticated attackers with code execution overwrite in-memory cache pages of setuid-root binaries to escalate to root.
- CISA added the vulnerability to its KEV catalog and urged federal agencies to patch within two weeks.
- Microsoft reports limited in-the-wild activity but warns a public PoC and wide applicability threaten cloud, CI/CD, and Kubernetes deployments.
- Mitigations include identifying vulnerable hosts, applying patches, isolating affected systems, enforcing access controls, and reviewing logs for exploitation signs.
Read More: https://www.securityweek.com/exploitation-of-copy-fail-linux-vulnerability-begins/