U.S. CISA Adds a Flaw in Linux Kernel to Its Known Exploited Vulnerabilities Catalog

The addition of CVE-2026-31431 to CISA’s KEV catalog underscores a growing trend: government agencies are actively flagging high‑impact, locally exploitable bugs that affect the backbone of modern cloud and data‑center environments. Linux powers the majority of public‑cloud instances, container orchestrators, and critical infrastructure, so a flaw that can be triggered without network access or elevated privileges raises the stakes for every organization that runs Linux workloads. By cataloguing the vulnerability, CISA provides a clear signal to both federal and private sectors that remediation cannot be deferred.

Copy Fail distinguishes itself from earlier Linux exploits such as Dirty Cow and Dirty Pipe through its use of the AF_ALG cryptographic interface combined with splice() to write four controlled bytes directly into the page cache. Because the corrupted data never touches the underlying disk, traditional file‑integrity monitors miss the change, and the altered binary is executed from memory. The attack works across kernel versions 6.12‑6.18 and can breach container isolation, making it a potent vector for both privilege escalation and container escape in Kubernetes environments. Its minimal 732‑byte Python payload demonstrates how quickly an attacker can weaponize the bug.

For enterprises, the immediate priority is to apply the upstream patches released by distro maintainers and verify that the AF_ALG kernel module is either patched or disabled where not required. Organizations should also audit their container runtimes for shared page‑cache configurations that could amplify the risk. Compliance teams must track the May 15, 2026 deadline to satisfy CISA’s Binding Operational Directive 22‑01, while broader risk‑management programs should incorporate this vulnerability into their threat‑modeling exercises. Proactive patching, coupled with continuous monitoring of kernel‑level activity, will mitigate the likelihood of a stealthy root compromise across both on‑prem and cloud‑native Linux fleets.