CISA adds 9-year-old Linux kernel root-access flaw CVE-2026-31431 to KEV catalog amid active exploitation
Per Forbes' May 3 report, CISA is urging users to patch a nine-year-old Linux kernel flaw tracked as CVE-2026-31431 (dubbed "Copy Fail"), added to the Known Exploited Vulnerabilities catalog within 24 hours of disclosure.
At a glance
- CVE-2026-31431 is a local privilege escalation flaw affecting Linux kernels shipped since 2017, allowing unprivileged users to gain root
- CISA added the flaw to its KEV catalog within 24 hours of disclosure, citing evidence of active exploitation, per Forbes
VERDICT — CONFIRMED
Per Forbes' May 3 report, CISA is urging users to patch a nine-year-old Linux kernel flaw tracked as CVE-2026-31431 (dubbed "Copy Fail"), added to the Known Exploited Vulnerabilities catalog within 24 hours of disclosure based on evidence of active exploitation. The bug, present in kernels shipped since 2017, is a logic flaw in the kernel's authentication cryptographic template that lets an unprivileged local user write four bytes into any readable file's page cache, escalating to root with roughly 732 bytes of code. Exploitation requires prior unprivileged code execution; the report describes the exploit as reliable and invisible to traditional endpoint detection, with public-facing servers and developer workstations as primary targets.
Key facts on file
- CVE-2026-31431 is a local privilege escalation flaw affecting Linux kernels shipped since 2017, allowing unprivileged users to gain root
- CISA added the flaw to its KEV catalog within 24 hours of disclosure, citing evidence of active exploitation, per Forbes

