Overview
- CISA, which added CVE-2026-31431 to its Known Exploited Vulnerabilities list Friday, now requires federal agencies to patch by May 15.
- Copy Fail is a Linux kernel logic flaw that lets any local user write four chosen bytes into a file’s in‑memory page cache, so a cached setuid binary like /usr/bin/su can run attacker code as root without changing the disk file.
- Researchers released a small, reliable Python proof‑of‑concept that works across major distributions shipped since 2017, with ports in other languages now circulating publicly.
- Microsoft reports only limited in‑the‑wild activity focused on testing, while warning that the exploit’s portability and in‑memory stealth raise the risk for containers, Kubernetes nodes, and multi‑tenant cloud servers.
- Upstream fixes exist and vendors are rolling out patched kernels, yet many systems remain exposed, so teams are urged to identify vulnerable hosts, apply updates or disable the affected crypto interface, tighten access, and watch logs for signs of page‑cache tampering.