CISA adds Linux root access bug CVE-2026-31431 to exploited vulnerabilities list
Updated
Updated · The Hacker News · May 3
CISA adds Linux root access bug CVE-2026-31431 to exploited vulnerabilities list
8 articles · Updated · The Hacker News · May 3
The flaw, dubbed Copy Fail, affects Linux distributions shipped since 2017, carries a 7.8 CVSS score, and has patches in kernel versions 6.18.22, 6.19.12 and 7.0.
Researchers said a 732-byte Python exploit can let an unprivileged local user gain root by corrupting the page cache, with container platforms such as Docker, LXC and Kubernetes also at risk.
CISA ordered federal civilian agencies to fix it by 15 May, while Microsoft warned early testing could spur wider abuse; if patching is delayed, organizations should restrict access and isolate systems.
If vendor patches aren't yet available, what immediate steps can organizations take to prevent attackers from gaining root access via Copy Fail?
With AI now discovering critical Linux bugs in hours, is container security fundamentally broken until we rethink kernel isolation?
Will the rise of AI-driven vulnerability discovery make it impossible for organizations to keep up with patch management demands?
Critical Linux Kernel Flaw CVE-2026-31431 Demands Immediate Patching to Prevent Host and Cloud Compromise
Overview
On May 1, 2026, CISA urgently added CVE-2026-31431, a critical Linux kernel flaw in the algif_aead module, to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate it by May 15. This vulnerability allows unprivileged local attackers to corrupt in-memory copies of setuid binaries, leading to reliable root privilege escalation. It also breaks container isolation, enabling attackers to escape containers and compromise entire multi-tenant cloud hosts. The flaw was rapidly discovered by an AI tool, prompting patches within a week. Applying these patches or workarounds is essential to reduce risk, as active exploitation attempts have already been observed in the wild.