HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Copy Fail (CVE‑2026‑31431): Linux Kernel Page‑Cache Corruption Enables Local Root Escalation

A newly disclosed Linux kernel bug (CVE‑2026‑31431) lets any unprivileged user corrupt the page‑cache of any readable file, granting root privileges. The flaw spans Ubuntu, RHEL, SUSE, Amazon Linux and can cross container boundaries, posing a serious supply‑chain risk for Linux‑based third‑party services.

LiveThreat™ Intelligence · 📅 May 01, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Copy Fail (CVE‑2026‑31431): Linux Kernel Page‑Cache Corruption Enables Local Root Escalation

What It Is — A newly disclosed Linux kernel logic flaw (CVE‑2026‑31431, “Copy Fail”) allows any unprivileged local user to write four arbitrary bytes into the page‑cache of any readable file. By corrupting the in‑memory image of a set‑uid binary, an attacker can obtain root privileges without altering the on‑disk file.

Exploitability — Public proof‑of‑concept script (≈732 bytes) demonstrates reliable local privilege escalation on all major distributions. No public exploit‑as‑a‑service observed yet, but the vulnerability is trivially reproducible. CVSS v3.1 7.8 (High).

Affected Products — Ubuntu, Red Hat Enterprise Linux, SUSE Linux Enterprise, Amazon Linux, and any other distro shipping the vulnerable kernel (versions released since 2017). The bug also works across container boundaries because the page cache is shared between host and containers.

TPRM Impact

  • Any third‑party service that runs Linux‑based workloads (cloud hosts, SaaS platforms, CI/CD pipelines) inherits the same privilege‑escalation risk.
  • Container‑orchestrated environments (Kubernetes, Docker) can be compromised from a compromised pod, enabling lateral movement to the host and other tenants.
  • Supply‑chain exposure: compromised binaries or images distributed by vendors could be silently altered in‑memory, evading traditional integrity checks.

Recommended Actions

  • Patch Immediately – Apply the kernel updates released by each distribution (e.g., Ubuntu 24.04 kernel 6.5.0‑xx, RHEL 9.4, etc.).
  • Enforce Least‑Privilege – Restrict local user accounts from accessing AF_ALG or splice() where not required; consider disabling the AF_ALG crypto API if unused.
  • Container Hardening – Use separate page‑cache namespaces (e.g., --page-cache=private) or run containers with unshared kernel memory where possible.
  • Monitor for Indicators – Deploy EDR/IDS rules to detect the 732‑byte Python exploit pattern and unexpected writes to set‑uid binaries in memory.
  • Validate Images – Re‑sign and re‑verify container images after patching to ensure no in‑memory tampering occurred.

Source: SecurityAffairs – Copy Fail: New Linux bug enables Root via page‑cache corruption

📰 Original Source
https://securityaffairs.com/191519/hacking/copy-fail-new-linux-bug-enables-root-via-page-cache-corruption.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →