CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

2026-005: High Vulnerability in the Linux Kernel ("Copy Fail")

highknown exploitedpublic exploitCVE-2026-31431
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
On 29 April 2026, a high local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-31431 and named "Copy Fail", was publicly disclosed. The vulnerability affects every mainstream Linux distributions shipping a kernel built since 2017. A public proof-of-concept exploit has been released. As of the date of this advisory, no distribution has shipped a fixed kernel package. The mainline fix was committed on 1 April 2026, but vendor updates are still pending across all major distributions. CERT-EU strongly recommends applying the interim mitigation immediately, prioritising Kubernetes nodes, and CI/CD runners exposed to untrusted workloads.

CSIRTS triage

What
The vulnerability allows for local privilege escalation due to a flaw in the kernel's functionality.
Who is affected
Every mainstream Linux distribution shipping a kernel built since 2017 is affected.
Urgency
Remediation is urgent as a public proof-of-concept exploit is available and no fixed kernel package has been shipped yet.
Action
Apply the interim mitigation immediately, prioritizing Kubernetes nodes and CI/CD runners.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Linux Kernel

Get an email when a new Linux Kernel advisory drops — max one per day, one-click unsubscribe.

Details

Source
CERT-EU Security Advisories (EU · eu · site)
Severity
high
Published
2026-04-30
Exploitation
Observed in the wild (CISA KEV)

Original advisory: https://cert.europa.eu/publications/security-advisories/2026-005/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-31431coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for 2026-005

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from CERT-EU Security Advisories