SECURITYWEEK reports that exploitation of the Linux kernel flaw known as Copy Fail (CVE-2026-31431) has begun, with CISA adding the bug to its Known Exploited Vulnerabilities list and Microsoft noting limited in-the-wild activity largely tied to PoC testing. The vulnerability affects the kernel’s AEAD template and enables authenticated attackers with code execution privileges to elevate privileges to root by modifying the cache page of readable setuid-root binaries.
Disclosed on 29 April, the flaw has been described by Microsoft as having broad applicability and a working PoC exploit already released, raising concerns for defenders in cloud, CI/CD and Kubernetes environments. According to Microsoft, exploitation can lead to full root privilege escalation and could facilitate container breakout and lateral movement, and it can be chained with SSH access, malicious CI jobs, or access to containers.
Microsoft also advises organisations to identify vulnerable machines, apply patches, isolate systems, enforce access controls and review logs for signs of exploitation.