CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

CISA Adds Linux Kernel Flaw to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed Linux kernel security flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431, allows a local attacker to gain full root access on affected Linux systems through an incorrect resource transfer between security spheres.

Vulnerability Summary

Field	Value
CVE ID	CVE-2026-31431
Affected Component	Linux Kernel
Vulnerability Type	Incorrect Resource Transfer Between Spheres
Impact	Local Privilege Escalation to Root
CISA KEV Added	2026-05-03
Exploitation Status	Actively Exploited

What Is CVE-2026-31431?

CVE-2026-31431 is a privilege escalation vulnerability in the Linux kernel stemming from incorrect handling of resource transfers across privilege boundaries — a class of flaw categorized as "Incorrect Resource Transfer Between Spheres" (CWE-669). When successfully exploited, the vulnerability allows a local, low-privileged attacker to elevate their permissions to root, achieving full system control without requiring any network-facing service or user interaction beyond executing a crafted local process.

This class of vulnerability is particularly dangerous because:

Post-exploitation chaining: Attackers who have already gained a foothold through another vector (phishing, web shell, credential theft) can immediately escalate to root.
Container escape potential: In containerized or shared-hosting environments, privilege escalation flaws can enable escape from container boundaries.
Kernel-level persistence: With root access, attackers can install kernel rootkits, modify system binaries, and create persistence mechanisms that survive reboots and standard malware scans.

Active Exploitation Confirmed

CISA's addition of this CVE to the KEV catalog means U.S. federal agencies are required to remediate the vulnerability within the agency-mandated timeframe under Binding Operational Directive 22-01. CISA only adds vulnerabilities to KEV when there is reliable evidence of active, in-the-wild exploitation — not just proof-of-concept code.

Security researchers and threat intelligence teams have observed this flaw being used in post-compromise privilege escalation chains, frequently following initial access via credential theft or exploitation of internet-facing services.

Affected Distributions

While CISA's advisory references the Linux kernel broadly, CVE-2026-31431 affects multiple major Linux distributions. Users and administrators of the following should prioritize patching:

Red Hat Enterprise Linux / CentOS / AlmaLinux / Rocky Linux
Ubuntu and Debian
SUSE Linux Enterprise
Fedora
Amazon Linux
Any distribution shipping an affected kernel version

Check with your distribution's security advisory feed for the specific kernel versions impacted.

Remediation Guidance

For System Administrators

Apply kernel updates immediately — check your distribution's package manager for available kernel security updates:

# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
 
# RHEL/CentOS/AlmaLinux
sudo dnf update kernel
 
# SUSE
sudo zypper update kernel-default

Reboot after patching — kernel updates require a system reboot to take effect. Schedule maintenance windows accordingly for production systems.
Verify the patched kernel is running after reboot:
```
uname -r
```
Consider live patching for environments where reboots are disruptive — tools like kpatch (Red Hat) or Livepatch (Canonical/Ubuntu) can apply kernel fixes without rebooting.

Detection and Monitoring

Monitor for unusual privilege escalation attempts via auditd or endpoint detection solutions.
Alert on unexpected setuid/setgid processes or unusual /proc filesystem access patterns.
Review logs for unexpected root-level process execution by non-root user accounts.

Federal Agencies: Binding Operational Directive 22-01

Under BOD 22-01, U.S. federal civilian executive branch (FCEB) agencies are required to remediate all KEV-listed vulnerabilities by the CISA-specified deadline. While this directive applies specifically to federal agencies, CISA strongly urges all organizations — including state and local government, critical infrastructure operators, and private sector entities — to treat KEV entries as high-priority remediation targets.

References

CISA Adds Linux Kernel Flaw to Known Exploited Vulnerabilities Catalog

Vulnerability Summary

Field	Value
CVE ID	CVE-2026-31431
Affected Component	Linux Kernel
Vulnerability Type	Incorrect Resource Transfer Between Spheres
Impact	Local Privilege Escalation to Root
CISA KEV Added	2026-05-03
Exploitation Status	Actively Exploited

What Is CVE-2026-31431?

This class of vulnerability is particularly dangerous because:

Post-exploitation chaining: Attackers who have already gained a foothold through another vector (phishing, web shell, credential theft) can immediately escalate to root.
Container escape potential: In containerized or shared-hosting environments, privilege escalation flaws can enable escape from container boundaries.
Kernel-level persistence: With root access, attackers can install kernel rootkits, modify system binaries, and create persistence mechanisms that survive reboots and standard malware scans.

Active Exploitation Confirmed

Affected Distributions

While CISA's advisory references the Linux kernel broadly, CVE-2026-31431 affects multiple major Linux distributions. Users and administrators of the following should prioritize patching:

Red Hat Enterprise Linux / CentOS / AlmaLinux / Rocky Linux
Ubuntu and Debian
SUSE Linux Enterprise
Fedora
Amazon Linux
Any distribution shipping an affected kernel version

Check with your distribution's security advisory feed for the specific kernel versions impacted.

Remediation Guidance

For System Administrators

Apply kernel updates immediately — check your distribution's package manager for available kernel security updates:

# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
 
# RHEL/CentOS/AlmaLinux
sudo dnf update kernel
 
# SUSE
sudo zypper update kernel-default

Reboot after patching — kernel updates require a system reboot to take effect. Schedule maintenance windows accordingly for production systems.
Verify the patched kernel is running after reboot:
```
uname -r
```
Consider live patching for environments where reboots are disruptive — tools like kpatch (Red Hat) or Livepatch (Canonical/Ubuntu) can apply kernel fixes without rebooting.

Detection and Monitoring

Monitor for unusual privilege escalation attempts via auditd or endpoint detection solutions.
Alert on unexpected setuid/setgid processes or unusual /proc filesystem access patterns.
Review logs for unexpected root-level process execution by non-root user accounts.

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

CISA Adds Linux Kernel Flaw to Known Exploited Vulnerabilities Catalog

Vulnerability Summary

What Is CVE-2026-31431?

Active Exploitation Confirmed

Affected Distributions

Remediation Guidance

For System Administrators

Detection and Monitoring

Federal Agencies: Binding Operational Directive 22-01

References

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

New 'Pack2TheRoot' Flaw Gives Hackers Root Linux Access

CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

CISA Adds Linux Kernel Flaw to Known Exploited Vulnerabilities Catalog

Vulnerability Summary

What Is CVE-2026-31431?

Active Exploitation Confirmed

Affected Distributions

Remediation Guidance

For System Administrators

Detection and Monitoring

Federal Agencies: Binding Operational Directive 22-01

References

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

New 'Pack2TheRoot' Flaw Gives Hackers Root Linux Access

CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline