CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments
Microsoft Defender Security Research Team ·
4 days ago ·
Read original ↗
ATT&CK techniques detected
6 predictions
T1068Exploitation for Privilege Escalation
99%
“cve - 2026 - 31431 : copy fail vulnerability enables linux root privilege escalation across cloud environments microsoft defender is investigating a high - severity local privilege escalation vulnerability ( cve - 2026 - 31431 ) affecting multiple major linux distributions includ…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1611Escape to Host
92%
“container, or multi ‑ tenant host ). kernel version information is easily obtainable from within containers and user namespaces and does not require elevated privileges. because containers share the host kernel, a single vulnerable kernel version immediately expands the impact ra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
91%
“##es environments where untrusted code execution is common. cve - 2026 - 31431 ( also known as “ copy fail ” ) is a high ‑ severity local privilege escalation ( lpe ) vulnerability affecting the linux kernel ’ s cryptographic subsystem. the vulnerability type is a logic flaw with…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
89%
“for this vulnerability, as well as mitigation recommendations and hunting guidance for customers to act on. further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available. vulnerability …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
53%
“review logs for signs of exploitation. because this vulnerability impacts a large swath of linux devices, it is strongly recommended to do the following : patch or update your distribution ’ s kernel packages or to block af _ alg socket creation. treat any container rce as potent…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
48%
“on every major linux distribution. – xint new linux ‘ copy fail ’ flaw gives hackers root on major distros this research is provided by microsoft defender security research with contributions from andrea lelli, dietrich nembhard, nir avnery, ori glassman, and members of microsoft…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A high-severity Linux vulnerability, “Copy Fail” (CVE-2026-31431), enables root privilege escalation across cloud environments and Kubernetes workloads. With a working exploit already in the wild, organizations should act quickly to detect, mitigate, and reduce risk.