CISA Adds Critical Linux Local Privilege Escalation Bug CVE-2026-31431 to Known Exploited Vulnerabilities List
Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 03, 2026 from an administrator's point of view, checking CVE-2026-31431 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 4 corroborating sources supports that scope.
Review our editorial policy or send corrections to [email protected].
Resolved or patched. Treat this as active until affected Linux kernels are patched or mitigated and local privilege-escalation attempts have been reviewed in host and container logs.
CISA has added CVE-2026-31431 to the KEV catalog after evidence of active exploitation. Linux administrators should verify affected kernel or distribution packages, prioritize systems where local or container code execution is possible, apply vendor fixes or mitigations, and review logs for privilege-escalation attempts.
WASHINGTON, May 3, 2026, 06:52 UTC
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1 after finding evidence of active exploitation. Treat this as a patch-priority alert for Linux systems where an attacker could already run code as a local user or inside a container.
The important detail is scope. This is a Linux Kernel incorrect resource transfer vulnerability that can allow privilege escalation, according to CISA's KEV record. It is not a standalone remote compromise, but it can turn a low-privilege foothold into root access on a vulnerable host.
What to do now
- Inventory Linux hosts, container hosts, CI runners and shared shell servers that may run affected kernels.
- Check your distribution advisory before assuming exposure from the CVE headline alone.
- Prioritize systems where untrusted users, compromised services or container workloads can execute local code.
- Apply vendor fixes or mitigations; CISA's KEV record sets a May 15, 2026 due date for U.S. federal civilian agencies.
- Preserve authentication, sudo, kernel, container runtime and EDR logs before rebooting or rebuilding suspicious hosts.
Who is affected
Systems matter most when local code execution is already possible: multi-user servers, hosting environments, container platforms, build workers, exposed SSH hosts and workloads where a compromised application could pivot to the kernel. Desktop Linux systems can also be relevant if malware or an untrusted local account is present.
CISA identifies the issue as affecting the Linux Kernel and describes the required action as applying vendor mitigations, following applicable BOD 22-01 guidance for cloud services, or discontinuing use where mitigations are unavailable. That means the right answer is not a universal reboot; it is version verification followed by the fix your Linux vendor supports.
The Hacker News, citing researcher and vendor write-ups, reported that the flaw is known as Copy Fail, carries a CVSS score of 7.8, and can let an unprivileged local user obtain root. The same reporting says fixes have been made available in Linux kernel versions 6.18.22, 6.19.12 and 7.0, while distribution packages may use their own backport versions.
Why this is urgent
Local privilege escalation bugs become high-impact when paired with initial access. A phishing-delivered shell, stolen SSH credential, malicious CI job, exploited web application or compromised container can all provide the local starting point needed before an attacker tries to become root.
Container and cloud hosts deserve early attention. The Hacker News article points to analysis warning that containerized environments can be exposed when affected kernel features are reachable from a container process. Do not treat container boundaries as a complete mitigation until the host kernel and runtime configuration have been checked.
What not to assume
CISA did not publish details of the exploitation campaign in its alert. Do not claim a specific threat actor, victim count or ransomware use from the CISA notice alone. CISA's KEV feed lists ransomware campaign use as unknown for this CVE.
Do not rely only on CVSS. The attack vector is local, so internet exposure alone is not the whole story. Rank systems by whether attackers can already run code there, whether the host carries sensitive data or privileged workloads, and whether the kernel can be updated without delaying critical containment.
Verification checklist
- Confirm the running kernel with your normal fleet inventory or host command output.
- Compare the result with your distribution's advisory, not only upstream kernel numbers.
- Check whether emergency mitigation is needed for hosts that cannot be patched immediately.
- Review recent local-user creation, sudo activity, unusual container starts and suspicious CI job execution.
- After patching, verify that the running kernel changed; installed packages alone are not proof after a pending reboot.
This alert should be read as an operations queue item: find affected Linux kernels, rank systems with local execution risk, patch or mitigate, then review logs for signs that a low-privilege foothold tried to become root.
Sources used for this article
cisa.gov, The Hacker News, CISA, CVE.org
- https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
- https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
- https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- https://www.cve.org/CVERecord?id=CVE-2026-31431
