Active Exploitation of Local Privilege Escalation Vulnerability in the Linux Kernel
CVE-2026-31431 (dubbed "Copy Fail") affects all Linux kernel builds since 2017, and could allow a local, unprivileged attacker to escalate privileges to root.
Summary
CVE-2026-31431 (dubbed "Copy Fail") affects all Linux kernel builds since 2017, and could allow a local, unprivileged attacker to escalate privileges to root.
Affected platforms
The following platforms are known to be affected:
Threat details
Active Exploitation of CVE-2026-31431
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431 to their Known Exploited Vulnerabilities (KEV) Catalog.
The NHS England National CSOC assesses further exploitation as highly likely.
Introduction
Security researchers have released a proof-of-concept exploit for CVE-2026-31431 (dubbed "Copy Fail") in the "algif_aead" module of the Linux kernel. Successful exploitation could allow a local unprivileged attacker to escalate privileges to root by writing 4 controlled bytes into the page cache of any readable file on a Linux system.
- CVE-2026-31413 - "Incorrect Resource Transfer Between Spheres" vulnerability - CVSSv3 score: 7.8
Threat updates
| Date | Update |
|---|---|
| 5 May 2026 |
Active Exploitation of CVE-2026-31431
The following items have been updated to reflect this change:
|
Remediation advice
Affected organisations are strongly encouraged to update affected Linux distributions' kernel package to one that includes mainline commit a664bf3d603d as soon as possible.
Fixed Linux kernel releases include versions 6.18.22, 6.19.12, and 7.0; for a full list see the "Unaffected" versions under Product Status on the cve.org website.
Most major distributions are currently shipping fixed versions through normal kernel package updates.
Definitive source of threat updates
Last edited: 5 May 2026 11:52 am