Several vulnerabilities in the Linux kernel have been recently disclosed that have attracted heightened scrutiny from the cybersecurity community, following evidence that they can be exploited to obtain full root-level control across a wide range of systems consistently. This vulnerability, formally referred to as “Copy Fail,” affects kernel versions spanning nearly a decade, dramatically expanding its attack surface and posing a significant threat to millions of deployments.
It is tracked as CVE-2026-31431.
Several security researchers emphasize that this issue is not only significant when it comes to privilege escalation, but also stands out for its operational simplicity, cross-environment portability, and high exploitation success rate factors, which all contribute to its elevated threat profile and explain why it has been classified as an actively exploited vulnerability.
Several security researchers emphasize that this issue is not only significant when it comes to privilege escalation, but also stands out for its operational simplicity, cross-environment portability, and high exploitation success rate factors, which all contribute to its elevated threat profile and explain why it has been classified as an actively exploited vulnerability.
Upon reviewing these findings, the Cybersecurity and Infrastructure Security Agency (CISA) has formally escalated the issue by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalogue, which indicates confirmed instances of exploitation across multiple Linux distributions in the wild.
The weakness, rated CVE-2026-31431, has a CVSS score of 7.8, and is considered to be a local privilege escalation vulnerability (LPE), which permits an unprivileged user with local access to elevate privileges to root privileges. However, its long-lasting undetected status, combined with its reliable exploitation pathway, makes it an operational risk even greater despite its moderate scoring.
Under the designation “Copy Fail,” security researchers at Theori and Xint first identified and analyzed this issue. The issue arises from the incorrect transfer of resources between security contexts within Linux kernels, which can be exploited to bypass standard privilege boundaries in Linux.
Several kernel patches, including versions 6.18.22, 6.19.12, and 7.0, have been released in response to this vulnerability, which has been actively exploited. Federal guidance urges organisations to prioritize updating based on the active exploitation status of the vulnerability. Additionally, its unusually low barrier to exploitation and wide ecosystem impact reinforce the urgency surrounding the flaw.
According to researchers, an exploit can be executed with as little as 732 bytes of code, which significantly reduces the threshold for abuse and extends its reach across virtually all major Linux distributions since 2017.
Unprivileged local users are able to manipulate the kernel’s in-memory page cache of readable files, including setuid binaries, at the core of the vulnerability. By doing so, executables may be modified at runtime without altering files on disk. Injecting malicious code into trusted binaries such as /usr/bin/su results in root-level permissions for execution. This technique creates a stealthy pathway to privilege escalation.
The security analysts at Wiz have stated that this in-memory tampering fundamentally undermines traditional integrity assumptions, since the page cache serves as the live execution layer for binaries. Furthermore, this risk is compounded when deploying large-scale Linux-based applications in modern cloud or containerised infrastructures.
According to Kaspersky’s analysis, environ
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: