Security3 min read

CISA adds nine-year-old Linux kernel Copy Fail privilege escalation CVE-2026-31431 to KEV

Tags Security · Infrastructure · OSS

Microsoft Security Blog · The Hacker News · Canadian Centre for Cyber Security·May 3, 2026

CISA adds nine-year-old Linux kernel Copy Fail privilege escalation CVE-2026-31431 to KEV

CISA added CVE-2026-31431 (CVSS 7.8), a nine-year-old Linux kernel local privilege escalation flaw dubbed Copy Fail, to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The vulnerability (CWE-669) affects all Linux kernels built between 2017 and the April 2026 patch release. An unprivileged local user can write 4 controlled bytes into the page cache of any readable file to gain root privileges, using a 732-byte Python exploit chaining AF_ALG socket, splice(), and improper error handling. Microsoft Defender Security Research Team published detailed analysis on May 1. The flaw is especially dangerous in container/cloud environments because containers share the host kernel. Fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

Sources

Microsoft Security Blog The Hacker News Canadian Centre for Cyber Security