The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added recently revealed security flaws affecting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of them being exploited in the wild.
This vulnerability is tracked as CVE-2026-31431 (CVSS score: 7.8) and is a case of a local privilege escalation (LPE) flaw that could allow an unprivileged local user to gain root. This nine-year-old flaw is also tracked as a copy failure by Theory and Xint. The fix is now available for Linux kernel versions 6.18.22, 6.19.12, and 7.0.
“The Linux kernel has a vulnerability in the unauthorized transfer of resources between spheres that could potentially allow for privilege escalation,” CISA said in its advisory.
In an article published earlier this week, researchers say the copy failure is the result of a logic bug in the Linux kernel’s authentication encryption template, which allows an attacker to easily and reliably cause privilege escalation using a 732-byte Python-based exploit. It was introduced through three separate and separate benign changes to the Linux kernel in 2011, 2015, and 2017.
This high-severity security vulnerability affects Linux distributions shipped after 2017 and allows unprivileged local users to gain root-level access by corrupting the kernel’s in-memory page cache of readable files containing setuid binaries. This corruption could be executed by an unprivileged user and could result in code execution with root privileges.
“The page cache represents an in-memory version of an executable file, so changing it effectively changes the binary at runtime without ever touching disk,” said Google’s Wiz. “This allows an attacker to inject code into privileged binaries (such as /usr/bin/su) and gain root privileges.”
The prevalence of Linux in cloud environments means that this vulnerability has significant impact. In its analysis of the flaw, Kaspersky said the copy failure poses a serious risk to containerized environments because Docker, LXC, and Kubernetes by default “give processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded in the host kernel.”
“Failure to copy poses a risk of breaking through container isolation and taking control of physical machines,” the Russian security vendor said. “At the same time, exploitation does not require the use of complex techniques such as race conditions or memory address guessing, lowering the barrier to entry for potential attackers.”
“This exploit is difficult to detect because it uses only legitimate system calls and is difficult to distinguish from normal application behavior.”
The availability of a fully functional exploit proof of concept (PoC) also adds to the urgency. Kaspersky says Go and Rust versions of the original Python implementation can already be found in open source repositories.
CISA did not provide details about how this vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it has “identified preliminary testing activity that will most likely result in increased exploitation by threat actors in the coming days.”
“The attack vector is local (AV:L) and requires low privileges without user interaction, meaning an unprivileged user could attempt to exploit it on a vulnerable system,” it added. “Importantly, while this vulnerability is not remotely exploitable on its own, it is highly impactful when chained with initial access vectors such as secure shell (SSH) access, malicious CI job execution, and container footholds.”
The tech giant also details one route an attacker could take to exploit the vulnerability.
Perform reconnaissance to identify Linux hosts or containers running kernel versions that are susceptible to copy failures. Prepare a small Python trigger to use against the endpoint. Run the exploit from a low-privileged context, either as a normal Linux user on the host or as a compromised container process with no special capabilities. The exploit performs a controlled 4-byte overwrite in the kernel page cache, leading to corruption of kernel-managed sensitive data. The attacker escalates the process to UID 0 and gains full root privileges.
Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fix by May 15, 2026, as updates are being pushed by affected Linux distributions. If patching is not immediately possible, organizations are encouraged to disable affected features, implement network isolation, and enforce access controls.
Source link
