Linux kernel privilege escalation bug CVE-2026-31431 added to CISA KEV catalog after active exploitation

CISA added CVE-2026-31431, a Linux kernel vulnerability enabling root privilege escalation, to its Known Exploited Vulnerabilities catalog on May 1, with federal agencies required to remediate by May 15. The flaw, codenamed 'Copy Fail,' resides in the AF_ALG cryptographic interface and allows unprivileged users — including from unprivileged containers — to gain UID 0 through a compact Python exploit that corrupts kernel page cache via a failed splice() operation. The attack works from any foothold, requires no network access or special capabilities, and affects kernels after version 4.14.