Exploitation of 'Copy Fail' Linux Vulnerability Begins
SecurityWeek, Monday, May 4th, 2026
Threat actors are actively exploiting CVE-2026-31431, a Linux kernel vulnerability that allows privilege escalation to root access.
A recently disclosed Linux kernel vulnerability tracked as CVE-2026-31431 and dubbed 'Copy Fail' is being exploited by threat actors to gain root shell access, according to CISA warnings. The vulnerability affects all Linux distributions since 2017 and lurked undetected for nearly a decade before disclosure on April 29.
CISA has added it to its Known Exploited Vulnerabilities catalog and urged federal agencies to patch within two weeks, while Microsoft reports limited in-the-wild exploitation so far but warns of the vulnerability's broad applicability and danger in cloud, CI/CD, and Kubernetes environments.
The vulnerability can be exploited by any local unprivileged user and can be chained with SSH access or container access to achieve full root privilege escalation with high impact to confidentiality, integrity, and availability.