[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftevEcFsz5zTV_XTrBKwgvwsDiC45wizR2aSKQn50l94":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"143088ad-7cd0-4eef-9f0c-891b367a23e4","CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments","cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation-a-ac3884","A high-severity Linux vulnerability, “Copy Fail” (CVE-2026-31431), enables root privilege escalation across cloud environments and Kubernetes workloads. With a working exploit already in the wild, organizations should act quickly to detect, mitigate, and reduce risk. The post CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments appeared first on Microsoft Security Blog.","CVE-2026-31431 (\"Copy Fail\") is a high-severity local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem affecting major distributions (Ubuntu, RHEL, Amazon Linux, SUSE, Debian, Fedora, Arch Linux) released since 2017. An unprivileged user can corrupt the kernel page cache of privileged binaries via the AF_ALG socket interface and splice() syscall, enabling unauthorized root access, container escape, and lateral movement in cloud and Kubernetes environments. A working proof-of-concept exploit is already in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog, prompting urgent patching.","CVE-2026-31431 Copy Fail vulnerability enables Linux root privilege escalation across cloud environments.","Share Link copied to clipboard! Tags Linux Content types Research Products and services Microsoft Defender Topics Actionable threat insightsDefending against advanced tactics Microsoft Defender is investigating a high-severity local privilege escalation vulnerability (CVE-2026-31431) affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu, and AWS Linux. This vulnerability allows unauthorized escalation of privileges to root, impacting a significant portion of cloud Linux workloads and millions of Kubernetes clusters. Although active exploitation has been limited and primarily observed in proof-of-concept testing, the vulnerability’s broad applicability has caused widespread concern. Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days, as also confirmed by the recent addition of this vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. In this report, Microsoft Defender shares detailed analyses and detection insights for this vulnerability, as well as mitigation recommendations and hunting guidance for customers to act on. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available. Vulnerability details Technical elementDetailsVulnerability typeLocal privilege escalationAttack vectorCode execution from unprivileged userPrerequisites for exploitationLocal access to the machine as non-privileged userBrief technical explanation A bug in the Linux kernel’s crypto-subsystem can be abused by an attacker to corrupt the cache of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root privilege, effectively escalating the unprivileged user to root in an unauthorized way. The vulnerability affects virtually all Linux distributions running kernels released from 2017 until patched versions are applied, including but not limited to Ubuntu (for example, 24.04 LTS), Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The CVSS score is 7.8 (High), reflecting its significant impact. From an impact assessment standpoint, successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI\u002FCD, and Kubernetes environments where untrusted code execution is common. CVE-2026-31431 (also known as “Copy Fail”) is a high‑severity local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem. The vulnerability type is a logic flaw within the algif_aead module of the AF_ALG (userspace crypto API), which results in improper handling of memory during in-place operations. The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation. Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds. The primary prerequisite for exploitation is the ability to execute code as a local non-privileged user on a system running a vulnerable Linux kernel with the affected crypto module enabled. From a technical perspective, the flaw originates from an in-place optimization introduced in 2017, where the kernel reuses source memory as the destination during cryptographic operations. By abusing the interaction between the AF_ALG socket interface and the splice() system call, an attacker can perform a controlled 4-byte write into the kernel’s page cache of any readable file. This enables corruption of in-memory representations of privileged binaries (for example, \u002Fusr\u002Fbin\u002Fsu) without modifying the on-disk file. When executed, the modified binary yields root privileges, effectively breaking the system’s privilege boundary. Notably, the exploit is deterministic, does not rely on race conditions, and could be implemented in a very small (~732‑byte) script that works across distributions. Because the page cache is shared across containers and the host , the vulnerability also enables cross-container impacts and container escape scenarios. The following is one possible exploitation attack chain. Phase 1: The attacker begins with reconnaissance. This may occur after gaining limited visibility into an environment (for example, a compromised CI runner, web container, or multi‑tenant host). Kernel version information is easily obtainable from within containers and user namespaces and does not require elevated privileges. Because containers share the host kernel, a single vulnerable kernel version immediately expands the impact radius from one container to the entire node. Phase 2: The attacker leverages a compact Python script that interacts only with standard kernel interfaces exposed to unprivileged users. The script does not rely on networking, compilation, or third‑party libraries, making it ideal for execution in restricted containers and hardened environments. Phase 3: The attacker runs the script as either a regular Linux user on a host, or a compromised container process with no special capabilities. Crucially, the vulnerability does not require root inside the container, Kernel modules, or network access. This makes it ideal for post‑exploitation scenarios where the attacker already has any foothold at all. Phase 4: The exploit abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation. This results in a controlled 4‑byte overwrite in the kernel page cache, allowing the attacker to corrupt sensitive kernel‑managed data even though they are unprivileged. This corruption occurs entirely within the kernel, bypassing traditional user‑space protections. Phase 5: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0. This completes the transition from unprivileged user to full root without touching the network. At this point, kernel trust boundaries are broken, SELinux\u002FAppArmor protections are effectively neutralized, and local security controls are bypassed. Mitigation and protection guidance Immediate actions (0-24 hours): Identify all instances of affected products\u002Fversions in your environment. Apply mitigation based on patch availability:If patches exist, apply immediately. Links to security bulletins and vendor patches are available at NVD – CVE-2026-31431. If no patches exist, choose one of these interim mitigations: ○ Disable affected feature ○ Implement network isolation ○ Apply access controls Review logs for signs of exploitation. Because this vulnerability impacts a large swath of Linux devices, it is strongly recommended to do the following: Patch or update your distribution’s kernel packages or to block AF_ALG socket creation. Treat any container RCE as potential host compromise and enforce rapid node recycling after compromise indicators. Microsoft Defender XDR detections Microsoft Defender XDR customers can refer to the following list of applicable detections. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F01\u002Fcve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FMS_Actional-Insights_Rapid-response.jpg","2026-05-02T03:06:08+00:00","2026-05-02T04:00:19.04836+00:00",9,[18,21,23,25,27,29],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":20},"Red Hat",{"name":24,"type":20},"Canonical",{"name":26,"type":20},"SUSE",{"name":28,"type":20},"Amazon Web Services",{"name":30,"type":31},"Linux kernel","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[49],{"type":50,"value":51,"context":52},"cve","CVE-2026-31431","High-severity Linux kernel privilege escalation vulnerability in crypto subsystem (Copy Fail)"]