CISA has added CVE-2026-31431, a Linux local privilege escalation flaw also known as Copy Fail, to its Known Exploited Vulnerabilities (KEV) catalog, with evidence of active exploitation in the wild. The vulnerability could allow an unprivileged local user to obtain root by corrupting the kernel’s in-memory page cache, and is described as a nine-year-old flaw introduced by changes in 2011, 2015 and 2017. Fixes have been released for Linux kernel versions 6.18.22, 6.19.12 and 7.0, and the CVSS score is 7.8.
In a write-up, researchers noted that the attack could be triggered by a 732-byte Python-based exploit and that the vulnerability affects Linux distributions shipped since 2017, with potential to break container isolation in cloud environments. Microsoft Defender noted preliminary testing activity that might increase exploitation in coming days, while FCEB agencies have been advised to apply the fixes by 15 May 2026, or disable the affected feature and improve isolation and access controls.
According to The Hacker News, the vulnerability is not remotely exploitable in isolation but can be chained with other vectors such as SSH, malicious CI jobs or container footholds to gain root privileges.