Copy Fail: the critical vulnerability of the Linux kernel (CVE-2026-31431) already exploited that could give root access and break the container insulation

The US Agency for Infrastructure and Cybersecurity. United States. ( CISA) has included in its catalog Known Exploited Vulnerabilities (KEV) a critical vulnerability recently disclosed in the Linux core, registered as CVE-2026-31431(CVSS 7.8), after researchers and security companies reported evidence of active exploitation. This is a local privilege lifting (LPE) failure called "Copy Fail," which allows an unprivileged user to get root access by manipulating the cache of pages in memory of the kernel; the patches that correct the problem have already been integrated into the branches of the kernel identified by the maintainers, including versions 6.18.22, 6.19.12 and 7.0.

In technical terms, the error is a controlled corruption of the cache page which affects the way the kernel copies resources between internal "spheres" of the cryptographic subsystem (AF _ ALG). By corrupt concrete bytes in the cache of an executable in memory - without touching the disk - an attacker can inject instructions into privileged setuid binaries (e.g. / usr / bin / su) and get execution with UID 0. The authors of the report explain that the bug comes from three apparently inocular changes introduced in 2011, 2015 and 2017, so the failure is present in kernel distributed since then and is reliably exploitable with a very compact PoC in Python (in addition to implementations detected in Go and Rust).

The public availability of a PoC and the local nature of the vector make the risk particularly high in environments where an initial access can be linked: a compromised SSH account, a malicious CI job, or a leak within a container can serve as a starting point. Security companies warn that detection is complex because the operation uses legitimate system calls, making it difficult to distinguish malicious activity from normal behavior. The most dangerous scenario is that of cloud environments and containers, where Docker, LXC or Kubernetes can expose the AF _ ALG subsystem in the host if the algif _ aead module is loaded, which reduces barriers and allows to break the container isolation to compromise the physical host.

In the face of this real scenario, the number one priority for managers and security officials must be Plot as soon as possible. CISA has marked this vulnerability as exploited and recommended applying vendor updates; in addition, US federal agencies have received an internal deadline (May 15, 2026) to mitigate the risk. You can see the inclusion in the KEV catalogue and the official notices on the CISA page: https: / / www.cisa.gov / knowledge-exploited-vulnerabilities-catalog and review the entry in MITRE for more technical context: https: / / cve.mitre.org / cgi-bin / cvename.cgi? name = CVE-2026-31431.

If it is not possible to update immediately, there are compensatory measures that reduce the exposure surface: prevent the host from loading the algif _ aead module (for example, download or block its load with module policies), isolate systems with network access control and segmentation to minimize exploitable input doors, review permissions and SSH access, and harden container configurations (avoid high privileges, use seccomp / SELinux / AppArmor profiles and deny direct access to unnecessary kernel subsystems). Note that traditional file integrity solutions may not detect this technique because the executable is never modified in disk; therefore, prevention and parking are more reliable than subsequent detection.

It is also necessary to strengthen telemetry and response: to activate and review audit logs, to monitor processes that change to UID 0, to deploy EDR / NGAV capabilities that correlate local anomalies and to prepare containment playbooks for incidents involving escalation of privileges in hosts or orchestration nodes. Equipment that manage container images should regenerate and refold images on parched kernel and review CI pipelines to avoid unreliable executions that can act as an initial operating point.

The extent of this vulnerability, its simple exploitation with a available PoC and its potential impact on multiuser and cloud environments make it not a theoretical threat: if your infrastructure uses Linux (especially in containers or shared systems), it must act now. To check whether your organization has applied patches or mitigations, check the policies and bulletins of your distributor and check the kernel version in the affected hosts; the official kernel page and the repositories of its distribution are practical starting points: https: / / www.kernel.