Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days, as also confirmed by the recent addition of this vulnerability to the Cybersecurity and Infrastructure\u202fSecurity Agency (CISA) Known Exploited Vulnerability (KEV) catalog<\/a>.<\/p>\n In this report, Microsoft Defender shares detailed analyses and detection insights for this vulnerability, as well as mitigation recommendations and hunting guidance for customers to act on. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.<\/p>\n Vulnerability details<\/p>\n Technical elementDetailsVulnerability typeLocal privilege escalationAttack vectorCode execution from unprivileged userPrerequisites for exploitationLocal access to the machine as non-privileged userBrief technical explanation A bug in the Linux kernel\u2019s crypto-subsystem can be abused by an attacker to corrupt the cache of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root privilege, effectively escalating the unprivileged user to root in an unauthorized way.<\/p>\n The vulnerability affects virtually all Linux distributions running kernels released from 2017 until patched versions are applied, including but not limited to Ubuntu (for example, 24.04 LTS), Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The CVSS score is 7.8 (High), reflecting its significant impact. <\/p>\n From an impact assessment standpoint, successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI\/CD, and Kubernetes environments where untrusted code execution is common.<\/p>\n CVE-2026-31431 (also known as \u201cCopy Fail\u201d) is a high\u2011severity local privilege escalation (LPE) vulnerability affecting the Linux kernel\u2019s cryptographic subsystem. The vulnerability type is a logic flaw within the algif_aead module of the AF_ALG (userspace crypto API), which results in improper handling of memory during in-place operations. <\/p>\n The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation. Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds. The primary prerequisite for exploitation is the ability to execute code as a local non-privileged user on a system running a vulnerable Linux kernel with the affected crypto module enabled.<\/p>\n From a technical perspective, the flaw originates from an in-place optimization introduced in 2017, where the kernel reuses source memory as the destination during cryptographic operations. By abusing the interaction between the AF_ALG socket interface and the splice() system call, an attacker can perform a controlled 4-byte write into the kernel\u2019s page cache of any readable file. This enables corruption of in-memory representations of privileged binaries (for example, \/usr\/bin\/su) without modifying the on-disk file. <\/p>\n When executed, the modified binary yields root privileges, effectively breaking the system\u2019s privilege boundary. Notably, the exploit is deterministic, does not rely on race conditions, and could be implemented in a very small (~732\u2011byte) script that works across distributions. Because the page cache is shared across containers and the host\u00a0, the vulnerability also enables cross-container impacts and container escape scenarios.<\/p>\n The following is one possible exploitation attack chain.<\/p>\n Phase 1: The attacker begins with reconnaissance. This may occur after gaining limited visibility into an environment (for example, a compromised CI runner, web container, or multi\u2011tenant host). Kernel version information is easily obtainable from within containers and user namespaces and does not require elevated privileges.<\/p>\n Because containers share the host kernel, a single vulnerable kernel version immediately expands the impact radius from one container to the entire node.<\/p>\n Phase 2: The attacker leverages a compact Python script that interacts only with standard kernel interfaces exposed to unprivileged users. The script does not rely on networking, compilation, or third\u2011party libraries, making it ideal for execution in restricted containers and hardened environments.<\/p>\n Phase 3: The attacker runs the script as either a regular Linux user on a host, or a compromised container process with no special capabilities. Crucially, the vulnerability does not require root inside the container, Kernel modules, or network access.\u00a0 This makes it ideal for post\u2011exploitation scenarios where the attacker already has any foothold at all.<\/p>\n Phase 4: The exploit abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation. This results in a controlled 4\u2011byte overwrite in the kernel page cache, allowing the attacker to corrupt sensitive kernel\u2011managed data even though they are unprivileged. This corruption occurs entirely within the kernel, bypassing traditional user\u2011space protections.<\/p>\n Phase 5: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0. This completes the transition from unprivileged user to full root without touching the network. At this point, kernel trust boundaries are broken, SELinux\/AppArmor protections are effectively neutralized, and local security controls are bypassed.<\/p>\n Mitigation and protection guidance<\/p>\n Immediate actions (0-24 hours):<\/p>\n Identify all instances of affected products\/versions in your environment.<\/p>\n Apply mitigation based on patch availability:If patches exist, apply immediately. Links to security bulletins and vendor patches are available at NVD \u2013 CVE-2026-31431<\/a>.<\/p>\n If no patches exist, choose one of these interim mitigations:<\/p>\n \u25cb Disable affected feature<\/p>\n \u25cb Implement network isolation<\/p>\n \u25cb Apply access controls<\/p>\n Review logs for signs of exploitation.<\/p>\n Because this vulnerability impacts a large swath of Linux devices, it is strongly recommended to do the following:<\/p>\n Patch or update your distribution\u2019s kernel packages or to block AF_ALG socket creation.<\/p>\n Treat any container RCE as potential host compromise and enforce rapid node recycling after compromise indicators.<\/p>\n Microsoft Defender XDR detections<\/p>\n Microsoft Defender XDR customers can refer to the following list of applicable detections. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n TacticObserved activityMicrosoft Defender coverageExecutionExploitation of CVE-2026-31431Microsoft Defender Antivirus Microsoft Defender for Endpoint Microsoft Defender for Cloud Microsoft Defender Vulnerability Management (MDVM) also surfaces devices in customer environments that might be vulnerable to CVE-2026-31431.<\/p>\n References<\/p>\n This research is provided by Microsoft Defender Security Research with contributions from Andrea Lelli, Dietrich Nembhard, Nir Avnery, Ori Glassman, and\u202f members of Microsoft Threat Intelligence.<\/p>\n Learn more<\/p>\n For the latest security research from the Microsoft Threat Intelligence community, check out the\u00a0Microsoft Threat Intelligence Blog<\/a>.<\/p>\n To get notified about new publications and to join discussions on social media, follow us on\u00a0LinkedIn<\/a>,\u00a0X (formerly Twitter)<\/a>, and\u00a0Bluesky<\/a>.<\/p>\n![\"\"](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/05\/image-11.webp\")
<\/p>\n
\u2013 Exploit:Linux\/CopyFailExpDl.A
\u2013 Exploit:Python\/CopyFail.A
\u2013 Exploit:Linux\/CVE-2026-31431.A
\u2013 Behavior:Linux\/CVE-2026-31431<\/p>\n
\u2013 Possible CVE-2026-31431 (\u201cCopy Fail\u201d) vulnerability exploitation<\/p>\n
\u2013 Potential exploitation of copy-fail vulnerability detected\u00a0<\/p>\n