CISA Warns of Exploitation of 'Copy Fail' Linux Vulnerability Affecting All Distributions Since 2017
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the exploitation of a Linux kernel vulnerability known as 'Copy Fail', tracked as CVE-2026-31431. This security defect, which has been present in all Linux distributions since 2017, allows authenticated attackers with code execution privileges to modify the cache page of readable setuid-root binaries, leading to root shell access. The vulnerability was disclosed on April 29, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within two weeks. Microsoft has observed limited exploitation, primarily in proof-of-concept testing, but warns of its broad applicability and potential for significant impact, including full root privilege escalation and potential compromise of cloud and container environments. 
