MICROSOFT Defender researchers warn of CVE-2026-31431, a Copy Fail vulnerability that enables Linux root privilege escalation across cloud environments, affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu and AWS Linux. The flaw, a local privilege escalation in the Linux kernel’s AF_ALG crypto subsystem, could allow an unprivileged user to gain UID 0 by abusing a 4‑byte overwrite in the kernel page cache, potentially enabling container breakout and cross‑container impacts.
Exploitation has been demonstrated in proof‑of‑concept form, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog, heightening urgency for patching. Mitigation guidance published by Microsoft includes applying patches when available or using interim measures such as disabling the affected feature, enforcing network isolation, and tightening access controls, alongside prompt log review for signs of exploitation.
The research also provides detection and hunting guidance within Microsoft Defender XDR, emphasising that the vulnerability is highly impactful in cloud, CI/CD and Kubernetes environments where untrusted code execution is common.