CVE-2026-31431 is a Linux kernel flaw classified as CWE-669: Incorrect Resource Transfer Between Spheres that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads.
Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists RHEL 8, RHEL 9, RHEL 10, and corresponding kernel-rt packages as affected, while RHEL 6 and RHEL 7 are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the "Copy Fail" technical write-up and proof-of-concept repository, which references testing on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The Canadian Centre for Cyber Security published Alert AL26-009 warning that CVE-2026-31431 could enable privilege escalation to root or bypass isolation mechanisms on vulnerable Linux systems. The alert stressed higher risk when chained with remote code execution and urged organizations to identify affected systems, apply patches, reboot, and harden exposed workloads.
A GitHub repository by theori-io published a technical write-up and proof-of-concept exploit for 'Copy Fail' (CVE-2026-31431), including exploit code and tested kernel/distribution details. The repository quickly drew broad public attention, indicating active security community interest in exploitation details.
Red Hat's CVE page identifies Red Hat OpenShift Container Platform 4 rhcos as affected by CVE-2026-31431, expanding the known impact beyond the RHEL kernel packages already noted. The same page continues to mark RHEL 6, RHEL 7, and RHEL 7 kernel-rt as not affected because the vulnerable code is not present.
Red Hat's product impact matrix for CVE-2026-31431 states that RHEL 8, RHEL 8 kernel-rt, RHEL 9, RHEL 9 kernel-rt, and RHEL 10 kernel are affected, while RHEL 6, RHEL 7, and RHEL 7 kernel-rt are not affected because the vulnerable code is not present.
Rocky Linux issued product errata RLSA-2026:12265 and RLSA-2026:12271 related to CVE-2026-31431, indicating vendor remediation activity for affected systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
cyber.gc.ca
Open sourcegithub.com
Open sourceerrata.rockylinux.org
Open sourceerrata.rockylinux.org
Open sourceaccess.redhat.com
Open sourceaccess.redhat.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.