Microsoft Flags Linux Kernel Flaw Enabling Root Access Across Major Distributions
A Linux kernel bug called Copy Fail can turn a local foothold into root on major distributions, and CISA has already placed it in its exploited-vulnerabilities catalog.
A Linux kernel flaw called Copy Fail is giving security teams a hard deadline: patch quickly or risk a low-privilege account becoming full root access across servers, cloud fleets and Kubernetes clusters. Microsoft’s Defender Security Research Team said CVE-2026-31431 sits in the kernel’s crypto subsystem and affects major distributions including Red Hat, SUSE, Ubuntu and AWS Linux.
The danger is not limited to isolated machines. Microsoft said the bug can be used to corrupt the cache of a readable file, including setuid binaries, which makes it possible for an attacker with local access to pivot from a modest foothold to complete system control. Microsoft also said the flaw reaches cloud environments and Kubernetes workloads, raising the stakes for multi-tenant infrastructure, managed hosting providers and enterprise platforms where one compromised node can put many workloads at risk.
The issue is rated 7.8 on the CVSS scale, a score that reflects serious risk to confidentiality, integrity and availability. Microsoft said kernels released from 2017 onward are exposed unless patched versions are installed. CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on May 1, 2026, saying the listing was based on evidence of active exploitation, a signal that defenders should treat this as an immediate operational threat rather than a theoretical flaw.
Vendor guidance is already converging on the same point: the first priority is inventory and patching. Red Hat classified the flaw as Important and said a user with a local account could gain root privileges. AWS said the issue requires local authenticated access rather than remote unauthenticated access, and advised customers to disable loading of the algif_aead module and remove it from memory with rmmod algif_aead. Ubuntu described the bug as a trivial local privilege escalation, while SUSE pointed customers to the upstream kernel fix path.
The pace of concern is being driven by proof, not speculation. The University of Toronto’s security office said a 732-byte Python proof-of-concept exploit had already been published and that it can write four controlled bytes into the page cache of any readable file, including setuid binaries. That technical detail explains why the flaw matters so much in production systems: once an attacker has any local foothold, the kernel bug can be used to reach root, break container boundaries and move laterally inside shared infrastructure.
CERT-EU said the flaw was publicly disclosed on April 29, 2026, and noted on April 30 that no distribution had yet shipped a fixed kernel package. For administrators running cloud fleets, enterprise servers or managed hosting services, the message is clear: patch affected kernels first, then harden the systems that expose local access paths to untrusted users and workloads.
Sources:
Know something we missed? Have a correction or additional information?
Submit a Tip
