Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV Catalog
Advertisements

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed Linux vulnerability, tracked as CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog after identifying signs of active exploitation in the wild. The flaw affects various Linux distributions and is described as a local privilege escalation issue that can allow an unprivileged local user to gain root access.

The vulnerability carries a CVSS score of 7.8 and has also been referred to as “Copy Fail” by Theori and Xint. According to the source material, fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. CISA has also issued guidance for federal agencies, while security researchers and vendors have highlighted the risk to cloud and containerized environments.

What CVE-2026-31431 affects

CISA’s advisory states that the issue is an “incorrect resource transfer between spheres” vulnerability in the Linux kernel that could lead to privilege escalation. The problem is local in nature, meaning it does not provide remote access on its own. Instead, it requires low privileges and no user interaction, which makes it possible for any unprivileged user on a vulnerable system to attempt exploitation.

The vulnerability has been described as nine years old and is said to impact Linux distributions shipped since 2017. The source material says it can let an unprivileged local user corrupt the kernel’s in-memory page cache of any readable file, including setuid binaries, and use that corruption to obtain root-level access. The root cause has not been confirmed beyond the kernel issue description and the researchers’ explanation of a logic bug in the Linux kernel’s authentication cryptographic template.

Why defenders are concerned

Researchers quoted in the source say the flaw can be triggered reliably with a small, 732-byte Python-based exploit. They also noted that the issue was introduced through three separate changes to the Linux kernel made in 2011, 2015, and 2017, each of which was individually harmless on its own.

Wiz said the page cache is the in-memory version of executables, so modifying it can effectively alter binaries at execution time without changing files on disk. In practical terms, that means an attacker could inject code into privileged binaries such as /usr/bin/su and obtain root privileges.

The vulnerability is also considered especially relevant for cloud and containerized systems. Kaspersky said Docker, LXC, and Kubernetes can grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel by default. That creates a path where exploitation could breach container isolation and potentially lead to control over the physical machine.

Observed exploitation and available guidance

CISA did not disclose how the flaw is being exploited in the wild. However, Microsoft Defender Security Research Team reported preliminary testing activity and warned that more threat actor exploitation may follow in the coming days. Microsoft also stressed that the vulnerability is not remotely exploitable on its own, but can become highly impactful when chained with initial access such as SSH access, malicious CI job execution, or a container foothold.

The source material also notes that fully working proof-of-concept code is already available, with Go and Rust versions of the original Python implementation found in open-source repositories. This lowers the barrier for potential abuse and increases the urgency of patching.

Key points for defenders

  • CISA has added CVE-2026-31431 to the KEV catalog due to active exploitation.
  • The flaw is a Linux local privilege escalation bug that can lead to root access.
  • Fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
  • The issue affects cloud and container environments, including Docker, LXC, and Kubernetes setups.
  • Federal Civilian Executive Branch agencies have been told to apply fixes by May 15, 2026.
  • If patching is not immediately possible, organizations are advised to disable the affected feature, implement network isolation, and apply access controls.

What organizations should do now

For defenders, the immediate priority is to identify whether affected Linux kernel versions are in use and apply the available updates as soon as possible. CISA’s inclusion of the flaw in KEV means the agency considers it an active threat that requires prompt attention.

Organizations that cannot patch right away should follow the mitigation steps named in the source material: disable the affected feature where possible, isolate vulnerable systems, and tighten access controls. Given the local nature of the attack and the existence of public proof-of-concept code, reducing exposure and limiting initial access paths are important defensive measures.

In short, CVE-2026-31431 is a serious Linux privilege escalation flaw with active exploitation concerns, public proof-of-concept availability, and clear implications for containerized and cloud-hosted environments. Rapid patching remains the most effective response.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading