Threat actors are exploiting a recently disclosed Linux kernel vulnerability leading to root shell access, the US cybersecurity agency CISA warns.
Tracked as CVE-2026-31431 and dubbed Copy Fail, the security defect lurked for almost a decade, impacting all Linux distributions since 2017.
Affecting the kernel’s authencesn AEAD template, the bug allows authenticated attackers with code execution privileges to modify the cache page of readable setuid-root binaries to elevate privileges to root.
Copy Fail was disclosed on April 29, and CISA added it to its Known Exploited Vulnerabilities (KEV) catalog on Friday, urging federal agencies to patch it within two weeks.
While CISA has not shared details on the observed exploitation, Microsoft said on Friday that it has observed only limited in-the-wild exploitation, mainly surrounding proof-of-concept (PoC) testing.
On the other hand, the tech giant warns that, despite the minimal current activity targeting it, CVE-2026-31431 has broad applicability, and a working PoC exploit has been released, which should raise concern among defenders.
“Successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments,” Microsoft notes.
“Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments where untrusted code execution is common,” the company says.
Copy Fail, Microsoft warns, can be exploited by any local, unprivileged user, and can be chained with Secure Shell (SSH) access, malicious CI jobs, or access to containers to achieve root shell access.
An attack chain would begin with reconnaissance to identify a container running a vulnerable kernel and continue with the execution of a small script to overwrite in-memory data and elevate privileges.
According to Microsoft, organizations should prioritize identifying potentially vulnerable machines in their environments, apply patches, isolate the systems, apply access controls, and review logs for signs of exploitation.
Related: SonicWall Urges Immediate Patching of Firewall Vulnerabilities
Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows
Related: Incomplete Windows Patch Opens Door to Zero-Click Attacks
Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
