1 month ago
40
Microsoft has detailed a high-severity Linux kernel vulnerability that can allow a local, unprivileged user to gain root access on affected systems.
The flaw, tracked as CVE-2026-31431 and also referred to as “Copy Fail,” affects multiple Linux distributions used in enterprise and cloud environments. Microsoft said affected platforms include Red Hat, SUSE, Ubuntu, Amazon Linux, Debian, Fedora, and Arch Linux, depending on kernel version and patch status.
The vulnerability has a CVSS score of 7.8. Microsoft said it affects Linux kernels released from 2017 until patched versions are applied.
A local flaw with cloud implications
CVE-2026-31431 is not remotely exploitable on its own. Microsoft said an attacker would first need local code execution as a non-privileged user, a condition that can exist in cloud, CI/CD, and Kubernetes environments where untrusted code may run.
The flaw can become more serious when combined with initial access through SSH, a malicious CI job, or a compromised container process. In those cases, an attacker with limited access could attempt to escalate privileges to root on a vulnerable system.
The issue sits in the Linux kernel’s cryptographic subsystem. Microsoft described it as a logic flaw in the algif_aead module of AF_ALG, the Linux userspace cryptocurrency API.
The flaw involves improper memory handling during in-place cryptographic operations. By abusing the interaction between the AF_ALG socket interface and the splice() system call, an attacker can carry out a controlled four-byte write into the kernel page cache of a readable file.
Microsoft said this can corrupt the in-memory version of privileged binaries, like /usr/bin/su, without changing the file stored on disk. CERT-EU said an unprivileged local user can use the bug to target a setuid binary and obtain a root shell.
Why Kubernetes environments are exposed
The issue is relevant to Kubernetes as containers depend on the host kernel. Microsoft said successful exploitation could support container breakout, multi-tenant compromise, and lateral movement in shared environments.
The exploit does not require remote access once an attacker can run local code on a vulnerable system.
Microsoft said successful exploitation can affect confidentiality and availability by giving the attacker full root access. Public exploit research described the bug as deterministic, while Microsoft and CERT-EU said the flaw involves page-cache corruption rather than modification of the on-disk file.
Microsoft has observed limited active exploitation so far, mainly in proof-of-concept testing.
The US Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on May 1. CISA listed it as a Linux Kernel Incorrect Resource Transfer Between Spheres vulnerability.
Patch priorities for cloud teams
Microsoft recommended that organisations identify affected Linux systems and apply vendor patches where available. Security bulletins and patch information are available through the National Vulnerability Database entry for CVE-2026-31431.
Where patches are not yet available, Microsoft said organisations should consider interim steps like disabling the affected feature, blocking AF_ALG socket creation, applying access controls, or using network isolation.
In Kubernetes environments, remediation needs to cover the node operating system, not only application containers. Microsoft advised organisations to patch or update Linux kernel packages, while AKS documentation notes that node OS security updates are managed separately from Kubernetes version upgrades.
The company also advised customers to review logs for signs of exploitation. In container environments, Microsoft said any container remote code execution should be treated as a possible host compromise, with rapid node recycling after compromise indicators are found.
Microsoft Defender XDR has added detections for activity linked to CVE-2026-31431. Microsoft listed coverage in Defender Antivirus, Defender for Endpoint, Defender for Cloud, and Microsoft Defender Vulnerability Management.
The detections include exploit and behaviour signatures for Linux and Python-based activity associated with Copy Fail. Defender Vulnerability Management can also surface devices that may be vulnerable to CVE-2026-31431 in customer environments.
(Photo by Lukas)
See also: AI data centre power demand shapes cloud growth
Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.