The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new security flaw affecting different Linux versions to its list of Known Exploited Vulnerabilities (KEV). They mentioned that there is proof of this flaw being used in real attacks.
The flaw, known as CVE-2026-31431 (CVSS score: 7.8), is a type of local privilege escalation (LPE) flaw. It can let a regular local user get root access. This flaw has been around for nine years and is also called Copy Fail by Theori and Xint. Fixes are out for Linux kernel versions 6.18.22, 6.19.12, and 7.0.
“Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation,” CISA said in an advisory.
Researchers have found that Copy Fail is caused by a logic error in the Linux kernel’s security system. This lets attackers easily gain more control using a small 732-byte Python exploit. The flaw came from three small changes to the Linux kernel that were made in 2011, 2015, and 2017.
The serious security problem affects Linux versions released since 2017. It allows a regular user to get root access by messing with the kernel’s in-memory page cache for any file that can be read, including setuid binaries. This can be done by normal users and could let them run code with root permissions.
“Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,” Google-owned Wiz said. “This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges.”
The use of Linux in cloud systems makes the flaw very important. Kaspersky noted that Copy Fail is a big threat to container environments. This is because Docker, LXC, and Kubernetes let processes in a container access the AF_ALG system if the algif_aead module is loaded on the host kernel by default.
“Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine,” the Russian security vendor said. “At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.”
“Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.”
CISA did not share any details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it’s “seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days.”
“The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,” it added. “Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds.”
InfoSecBulletin Cybersecurity for mankind
