Microsoft flags Linux kernel flaw that turns limited cloud access into full root compromise

A Linux kernel vulnerability that Microsoft researchers discovered and disclosed this week is drawing urgent attention from cloud and Kubernetes security teams for a specific reason: it turns a relatively ordinary level of initial access into something considerably more dangerous. The flaw, tracked as CVE-2026-31431 and nicknamed Copy Fail, allows an unprivileged local user to escalate privileges all the way to root on affected systems, with a CVSS score of 7.8 reflecting how seriously the security community rates that capability.

The technical mechanism behind Copy Fail sits in the Linux kernel‘s cryptographic subsystem, specifically in the algif_aead module of AF_ALG, the Linux userspace cryptography API. By exploiting the interaction between the AF_ALG socket interface and the splice() system call, an attacker can perform a controlled four-byte write into the kernel page cache of a readable file. That write corrupts the in-memory version of privileged binaries like /usr/bin/su without touching the file stored on disk, which means standard file integrity checks would not flag the compromise. The result is a root shell for an attacker who started with unprivileged local access.

The vulnerability affects Linux kernels released from 2017 onward until vendors apply patches. Affected distributions include Red Hat, SUSE, Ubuntu, Amazon Linux, Debian, Fedora, and Arch Linux, depending on kernel version and patch status, which covers a substantial portion of enterprise and cloud Linux deployments globally.

Cloud and Kubernetes environments carry specific exposure here because containers share the host kernel. Microsoft noted that successful exploitation could support container breakout, multi-tenant compromise, and lateral movement across shared environments. Any scenario where untrusted code runs locally, such as CI/CD pipelines, compromised container processes, or SSH-accessible systems, creates the initial foothold that Copy Fail can then convert into root access.

The US Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on May 1, signaling active concern rather than theoretical risk. Microsoft reported limited active exploitation so far, primarily in proof-of-concept testing, but the deterministic nature of the exploit makes rapid patching the appropriate response rather than a monitored wait.

For Kubernetes environments, Microsoft specifically noted that remediation covers node operating systems rather than just application containers, a distinction that security teams managing containerized infrastructure should act on without delay.