CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue, confirming that the Linux kernel copy-on-write race condition vulnerability publicly disclosed late last week — tracked by researchers as ‘CopyFail’ — is under active exploitation in the wild. Federal Civilian Executive Branch agencies face a remediation deadline of 20 May 2026. All enterprise organisations running Linux should treat the associated kernel patches as a high-urgency deployment.
CVE-2026-31431: Technical Summary
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel’s copy-on-write (CoW) page fault handling path. The flaw involves a race condition in how the kernel processes write operations on read-only memory mappings — under specific timing conditions, an unprivileged process can obtain a writable reference to a page marked read-only, allowing it to overwrite kernel memory structures and escalate to root.
The vulnerability affects kernel versions from 4.15 (released in 2018) through the unpatched versions of the 6.18 and 6.19 stable series. All major Linux distributions — including RHEL/CentOS Stream, Ubuntu, Debian, SUSE/openSUSE, Fedora, and Amazon Linux 2023 — have issued kernel updates that include the fix.
The CVSS score assigned by NVD is 7.8 (HIGH), reflecting the local access requirement, though the practical exploitation barrier is low: any unprivileged user with shell access — including web server processes, containerised workloads, or compromised application accounts — can leverage this to become root.
CISA KEV Addition: What Confirmed Exploitation Means
CISA adds vulnerabilities to the KEV catalogue only when exploitation evidence is confirmed through vetted reporting. The catalogue addition of CVE-2026-31431 indicates that threat actors are actively deploying exploits for this vulnerability against real targets, not merely that proof-of-concept code exists.
The exploitation context observed so far involves post-initial-access privilege escalation: attackers who have obtained low-privilege shell access — via web application vulnerabilities, credential reuse, or phishing — use CopyFail to escalate to root before deploying ransomware encryptors, cryptominers, or persistent backdoors. This is consistent with how kernel LPE vulnerabilities are typically operationalised in campaigns targeting Linux server infrastructure.
The ‘Sorry’ ransomware campaign currently exploiting cPanel servers (which runs on Linux) is one active campaign where kernel LPE capability would directly compound the impact of initial access.
Patch Availability and Remediation
All major distributions have patches available:
| Distribution | Fixed Kernel Version | Update Command |
|---|---|---|
| RHEL 8/9 / CentOS Stream | See RHSA-2026:2341 | dnf update kernel |
| Ubuntu 22.04/24.04 | 6.8.0-60-generic | apt update && apt upgrade linux-image-generic |
| Debian 12 (Bookworm) | 6.1.140 | apt update && apt upgrade linux-image-amd64 |
| SUSE Linux Enterprise / openSUSE | See SUSE-SU-2026:1342 | zypper update kernel-default |
| Amazon Linux 2023 | 6.1.136-158.215 | yum update kernel |
| Fedora 41/42 | Kernel 6.19.12 | dnf update kernel |
A reboot is required to activate the patched kernel.
Recommended Actions
- Immediate patch deployment: Apply available kernel updates to all Linux systems. Prioritise internet-facing servers, web application servers, CI/CD build agents, and any Linux host with multiple user accounts or service accounts that accept external connections.
- Containerised environments: Container workloads share the host kernel — patching the container host OS resolves the vulnerability for all containers running on that host. Kubernetes nodes should be patched and rolled with a node drain/cordon cycle.
- Audit current kernel versions: Run
uname -ror deploy a configuration management query to identify unpatched hosts. Any kernel below the distribution’s fixed version is vulnerable. - Review exploit mitigation posture: Some kernel hardening options (SMEP, SMAP, kernel stack canaries) partially constrain exploitation reliability but do not prevent it — patching is the only complete mitigation.
- Prioritise hosts with public-facing services: Systems where an application-layer compromise is plausible (web servers, API endpoints, remote access services) should be patched first, as CopyFail is most dangerous as a privilege escalation step after initial access.
The combination of CVE-2026-31431’s broad distribution impact, low exploitation complexity, and now-confirmed active exploitation makes this the highest-priority Linux kernel patching task in the current cycle.
Share this article