Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Analysis Summary
# Vulnerability: Copy Fail Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-440 (Expected behavior: Incorrect resource transfer between spheres)
## Affected Systems
- **Products:** Various Linux distributions using the Linux Kernel.
- **Versions:** Linux Kernel versions shipped since 2017 (containing code introduced as far back as 2011) up until the fixed releases.
- **Configurations:** Systems where the `algif_aead` module is loaded into the host kernel. This includes many default configurations for Docker, LXC, and Kubernetes.
## Vulnerability Description
Dubbed **"Copy Fail,"** this vulnerability is a logic bug within the Linux kernel's authentication cryptographic template. It stems from three separate code changes made in 2011, 2015, and 2017 that, while harmless individually, created a flaw when combined.
The flaw allows an unprivileged user to corrupt the kernel's in-memory **page cache**. Because the page cache stores the memory-resident versions of executables, an attacker can modify a privileged binary (such as `/usr/bin/su`) in memory without touching the physical disk. This allows for the injection of malicious code into privileged processes, bypassing standard filesystem integrity checks.
## Exploitation
- **Status:** **Exploited in the wild.** Added to CISA KEV catalog in May 2026.
- **Complexity:** Low. Exploitation does not require complex memory grooming, race conditions, or address guessing.
- **Attack Vector:** Local. Requires an initial foothold on the system (e.g., via SSH, a malicious CI/CD job, or a compromised container).
## Impact
- **Confidentiality:** High (Full system access/root)
- **Integrity:** High (Ability to modify running binaries and system files)
- **Availability:** High (Potential for system-wide disruption)
## Remediation
### Patches
Update the Linux kernel to the following versions or newer:
- **6.18.22**
- **6.19.12**
- **7.0**
### Workarounds
- Disable or restrict access to the `AF_ALG` subsystem where possible.
- Unload the `algif_aead` kernel module if it is not required for system operations.
## Detection
- **Indicators of Compromise:** Presence of unauthorized Python, Go, or Rust-based exploit scripts (typically ~732 bytes for the Python version) targeting the cryptographic subsystem.
- **Detection Methods:**
- Monitoring for unusual system calls originating from unprivileged local users or containers.
- Difficulty level: **High**. Detection is challenging because the exploit utilizes legitimate system calls that mimic normal application behavior.
- Audit logs for `/usr/bin/su` or other setuid binaries being invoked in unusual contexts or by unexpected users.
## References
- CISA KEV Catalog: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog]
- The Hacker News Article: [https://thehackernews[.]com/2026/05/cisa-adds-actively-exploited-linux-root.html]
- Microsoft Security Blog: [https://www.microsoft[.]com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/]
- Wiz Research: [https://www.wiz[.]io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability]