CVE-2026-31431 Linux Copy Fail: Root Escalation Hits Kubernetes, Red Hat, Ubuntu

CVE-2026-31431, nicknamed "Copy Fail" by the researchers who found it, is a local privilege escalation vulnerability in the Linux kernel that allows an unprivileged user on an affected system to escalate to root. It was disclosed on May 5, 2026 with a CVSS base score of 7.8. Patches are available for Red Hat Enterprise Linux, Ubuntu LTS (22.04 and 24.04), Debian, and AWS Linux 2. Kubernetes worker nodes running unpatched kernels are the highest-priority fix target because the exploit path from container process to node root is reliable on affected kernel versions.

If you run Kubernetes, patch your node kernel before you patch anything else. The vulnerability does not require network access — it is local only — but "local" in a Kubernetes context means any container with exec access to a node, which is a much broader attack surface than it sounds.

The Technical Details

Copy Fail is a flaw in the kernel's copy_to_user mechanism, specifically in how it handles error recovery when a copy operation fails partway through due to a page fault on the destination address.

The normal execution path: a syscall copies data from kernel space to user space using copy_to_user. If the destination address in user space is not yet mapped (a page fault occurs), the kernel handles the fault and retries the copy. On success, the copied data is visible to the calling process.

The buggy path: when the copy fails due to a specific race condition between the page fault handler and a concurrent memory mapping operation — an mmap with MAP_FIXED — the kernel miscounts the bytes successfully copied and returns a partial-success result. The calling process receives a return code indicating fewer bytes were copied than actually were. In the right circumstances, a crafted syscall sequence exploits this miscounting to write controlled data to a kernel address the process should not be able to reach.

The exploit chain: write crafted data to a kernel struct that holds a function pointer. When the kernel later calls that function pointer during a subsequent syscall, execution transfers to attacker-controlled code running in kernel context. Kernel context is root equivalent — the escalation is complete.

This class of bug (copy accounting error + function pointer overwrite) is not novel. It follows the same general pattern as several prior Linux kernel LPEs. What makes Copy Fail significant is that the affected kernel versions span a wide range and the race condition window is wide enough that exploit reliability is high on modern multi-core systems.

Which Kernel Versions Are Affected

The vulnerability exists in Linux kernel versions 5.15 through 6.6. This range covers:

• Ubuntu 22.04 LTS: ships kernel 5.15 (default) or 6.5 (with HWE stack) — both affected
• Ubuntu 24.04 LTS: ships kernel 6.8 — not affected by default, but kernel 6.6 available via HWE is affected
• Red Hat Enterprise Linux 8: kernel 4.18 series — not directly affected (pre-5.15), but check your specific build as backported components may introduce the vulnerable code path
• Red Hat Enterprise Linux 9: kernel 5.14 series — check vendor advisory; 5.14 is close to the affected boundary and RHEL 9.4+ with certain kernel options may be affected
• Debian Bookworm (12): kernel 6.1 — affected
• AWS Linux 2: kernel 5.10 — check Amazon's advisory; the vulnerable copy path was backported into the AL2 5.10 series in a late 2025 update
• AWS Linux 2023: kernel 6.1 — affected; Amazon issued a security advisory with patched package available

Kernel versions below 5.15 and above 6.6 (i.e., 6.7+) are not affected by the original vulnerability, though distributions may have backported or forward-ported the affected code — always verify against your distribution's specific security advisory.

The Kubernetes Risk Surface

For standalone Linux servers, CVE-2026-31431 requires local user access to exploit — a user must have a shell or process running on the affected machine. That limits exposure on servers with tight SSH access controls.

Kubernetes changes that calculus significantly. In a typical Kubernetes cluster:

• Containerised workloads run on worker nodes. Any container that can exec (kubectl exec or equivalent) into a pod on a node has process-level access on that node.
• Multi-tenant clusters where multiple teams or applications share worker nodes are the worst-case scenario: one compromised or malicious tenant container can escalate to node root.
• From node root, an attacker can read secrets mounted by other pods, access the node's kubelet credential, and depending on RBAC configuration, pivot to the Kubernetes API server.

The severity is effectively elevated from 7.8 (local) to critical in multi-tenant Kubernetes environments, because "local" access is available to any container on the node.

The mitigating factor is that most well-configured Kubernetes clusters already restrict pod exec access, run containers as non-root with seccomp profiles, and use network policies that limit lateral movement. Copy Fail does not bypass seccomp directly — the exploit runs in user space and syscalls through to the kernel, so a correctly applied seccomp profile that denies the specific syscall sequence can block it. The catch is that the required syscalls (mmap, the copy syscall) are commonly allowed even in restrictive profiles.

How to Patch

Ubuntu 22.04 and 24.04: Run apt update && apt upgrade linux-image to get the patched kernel. Reboot required. Ubuntu security advisory USN-7XXX-1 covers this (check Ubuntu security notices for the exact USN).

Red Hat Enterprise Linux: Run yum update kernel or dnf update kernel and reboot. RHSA-2026:XXXX is the advisory reference — check access.redhat.com for your exact RHEL version.

Kubernetes (any distribution): Patch the underlying node OS kernel first. For managed Kubernetes (EKS, GKE, AKS), the cloud provider will release patched node AMI/image versions — check their security bulletins and update your node groups to the patched version. For self-managed Kubernetes, update the OS on each worker node and drain + reboot nodes one at a time to maintain cluster availability.

AWS Linux 2: sudo yum update kernel followed by a reboot. Amazon's security bulletin ALAS-2026-XXXX contains the patched package details.

Check that the running kernel version matches the patched version after reboot: uname -r. If the old kernel is still running, the reboot did not complete correctly.

Temporary Mitigation Without Patching

If you cannot immediately reboot nodes (production systems with long-running workloads), the following reduces exploitation risk without eliminating it:

Restrict pod exec access in Kubernetes by removing exec permissions from RBAC roles that do not explicitly need them. The primary exploit path from container to node root requires the attacker to have a shell in a container on the target node.

Apply a seccomp profile that restricts the specific mmap flag combinations used in the exploit chain. Specific seccomp filter rules have been published by the researchers; check the CVE-2026-31431 disclosure advisory for the filter specification.

These mitigations reduce attack surface but are not substitutes for patching. Plan the reboot.

Key Takeaways

• CVE-2026-31431 "Copy Fail": Linux kernel local privilege escalation, CVSS 7.8; affected versions: kernel 5.15 through 6.6; disclosed May 5, 2026
• Attack path: Race condition in copy_to_user + MAP_FIXED mmap → partial-success return code miscounting → controlled write to kernel function pointer → kernel-context code execution = root
• Kubernetes severity elevated: Any container with exec access on an unpatched node can escalate to node root; multi-tenant clusters are critical priority
• Affected distributions: Ubuntu 22.04/24.04 LTS, Debian Bookworm, AWS Linux 2023, AWS Linux 2 (via backport), some RHEL 9.x configurations — patch now and reboot
• Temporary mitigation: Restrict kubectl exec RBAC permissions; apply seccomp profile filtering the specific mmap flag sequence — not a substitute for patching
• Patch verification: Run uname -r after reboot to confirm patched kernel version is loaded

For the cPanel authentication bypass that was also exploited for 70 days, read CVE-2026-41940: cPanel Auth Bypass Exploited 70+ Days Before Patch. For the ConnectWise ScreenConnect RCE with a CISA deadline, read CVE-2026-32202: ConnectWise ScreenConnect RCE.