thehackernews.com 5/3/2026, 6:51:28 AM · via preferred

CISA flags CVE-2026-31431 Linux kernel flaw under active attack

Developing story vulnerability 12 articles tracked
Dirty Frag Linux kernel flaw (CVE-2026-43284) allows local root via page cache corruption
CyberSIXT Evidence Panel
Primary Source cisa.gov
CISA KEV Listed in KEV
Patch Patch Available

CISA has added CVE-2026-31431, a Linux local privilege escalation flaw also known as Copy Fail, to its Known Exploited Vulnerabilities (KEV) catalog, with evidence of active exploitation in the wild. The vulnerability could allow an unprivileged local user to obtain root by corrupting the kernel’s in-memory page cache, and is described as a nine-year-old flaw introduced by changes in 2011, 2015 and 2017. Fixes have been released for Linux kernel versions 6.18.22, 6.19.12 and 7.0, and the CVSS score is 7.8.

In a write-up, researchers noted that the attack could be triggered by a 732-byte Python-based exploit and that the vulnerability affects Linux distributions shipped since 2017, with potential to break container isolation in cloud environments. Microsoft Defender noted preliminary testing activity that might increase exploitation in coming days, while FCEB agencies have been advised to apply the fixes by 15 May 2026, or disable the affected feature and improve isolation and access controls.

According to The Hacker News, the vulnerability is not remotely exploitable in isolation but can be chained with other vectors such as SSH, malicious CI jobs or container footholds to gain root privileges.

View Primary Source Via thehackernews.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline