CISA Issues Alert on Actively Exploited "Copy Fail" Linux Root Vulnerability
These articles are AI-generated summaries. Please check the original sources for full details.
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. This “Copy Fail” flaw allows unprivileged local users to obtain root access by corrupting the kernel’s in-memory page cache via a 732-byte Python-based exploit.
Why This Matters
Copy Fail underscores the fragility of kernel-level security when multiple benign changes interact to create a critical logic bug. By modifying the page cache instead of the disk, attackers can alter the execution-time behavior of privileged binaries like /usr/bin/su, rendering traditional disk-based security monitoring ineffective. This poses a severe risk to cloud infrastructures and containerized systems like Kubernetes, where default configurations often permit unprivileged access to the vulnerable AF_ALG subsystem, potentially leading to physical machine control.
Key Insights
- The CVE-2026-31431 vulnerability was introduced via three separate, individually harmless kernel changes made in 2011, 2015, and 2017.
- Exploitation relies on a logic bug in the Linux kernel’s authentication cryptographic template to corrupt sensitive kernel-managed data.
- Wiz reports that page cache modification allows code injection into privileged binaries without triggering disk-based detection alerts.
- Go and Rust versions of the original 732-byte Python exploit have already been detected in open-source repositories by Kaspersky.
- Microsoft Defender Security Research Team identified preliminary testing activity indicating likely increases in threat actor exploitation.
- The vulnerability affects Linux distributions shipped since 2017 and is patched in kernel versions 6.18.22, 6.19.12, and 7.0.
Practical Applications
- Use Case: FCEB agencies must apply patches for Linux kernel versions 6.18.22, 6.19.12, and 7.0 by May 15, 2026, to mitigate active exploitation.
- Pitfall: Relying on disk-based integrity monitoring to protect setuid binaries, which fails to detect in-memory page cache corruption.
- Use Case: Container administrators should disable the algif_aead module in host kernels to prevent Docker and Kubernetes processes from breaching isolation.
References:
Continue reading
Next article
Compiling a Dungeon: A Real-World ISL Case Study
Related Content
CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability
CISA added CVE-2025-61757, a critical 9.8 CVSS-rated flaw in Oracle Identity Manager, to its KEV catalog due to active exploitation.
CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
CISA added CVE-2023-52163, a Digiever NVR vulnerability, to its KEV catalog due to active exploitation leading to botnet infections.
CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog
CISA added CVE-2024-37079, a critical VMware vCenter vulnerability with a 9.8 CVSS score, to its KEV list due to confirmed exploitation in the wild.