Microsoft Defender is tracking a high-severity Linux kernel vulnerability, CVE-2026-31431, that allows unprivileged users to escalate their access to root privileges across major distributions and cloud environments.

Key Points

• The vulnerability, dubbed "Copy Fail," affects Linux kernels released since 2017, including Ubuntu, Red Hat, SUSE, and Amazon Linux.
• It stems from a logic flaw in the kernel's cryptographic subsystem (AF_ALG) that allows unauthorized 4-byte writes to the page cache.
• Exploitation requires only local access and a small script, enabling attackers to bypass security boundaries and potentially escape containers.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerability (KEV) catalog.
• Microsoft recommends immediate patching or blocking AF_ALG socket creation to prevent potential host compromise.

Why it Matters

This vulnerability poses a significant risk to cloud infrastructure and Kubernetes clusters because it allows attackers to escalate privileges from a single container to the entire host. Its deterministic nature and cross-platform impact make it a critical threat for organizations relying on shared environments and untrusted code execution.