CVE-2026-31431 in Linux Kernel: Actively Exploited Privilege Escalation Vulnerability Added to CISA KEV

📅 May 04, 2026 🔴 Exploit Risk: 0.216 📊 Intelligence Score: 68/100 📰 3 sources synthesized

TL;DR — Read this first

CVE-2026-31431 is a local privilege escalation (LPE) vulnerability in the Linux Kernel, allowing an attacker with initial access to gain root privileges.
CONFIRMED active exploitation in the wild. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on 2026-05-01.
Immediate investigation and patching are required for all affected Linux-based systems, including downstream products like QNAP NAS devices.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity1204 minutes spread to 2 unique domains

Consensus3 sources across 2 unique domains

CVSS ScoreNot available

EPSS Score0.03976 (73.5th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2159

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-31431 is a local privilege escalation vulnerability within the Linux Kernel. The specific component and nature of the flaw are not detailed in the available intelligence. The attack chain requires a threat actor to have already established an initial foothold on a target system with low-level user privileges. From this position, the actor can exploit the vulnerability to elevate their access to the root user.

This grants the attacker complete control over the compromised system, enabling them to disable security controls, exfiltrate data, deploy persistent backdoors, or use the system as a pivot point for lateral movement within the network. Reporting from HKCERT specifically identifies QNAP Network Attached Storage (NAS) devices as affected, indicating that the kernel vulnerability is being exploited in embedded Linux environments.

Affected Systems

Vendor: Linux

Affected Versions:

Linux Kernel (versions unspecified)
QNAP NAS devices (models and versions unspecified)

Exposure: Requires local access. An attacker must first gain initial access to the system via another vector.

Blast Radius: High. The Linux Kernel is foundational to a vast number of servers, workstations, IoT devices, and network appliances. The confirmed impact on QNAP NAS devices highlights the risk to embedded systems that may not receive timely patches.

Intelligence Context

The primary driver for immediate action on CVE-2026-31431 is its CONFIRMED status in the CISA KEV catalog. While the CVSS score is not yet assigned and the EPSS score of 0.03976 suggests a low probability of exploitation in the next 30 days, the KEV listing provides definitive evidence that active exploitation is occurring now. This real-world threat intelligence supersedes theoretical risk scores. The 'ZERO-DAY RACE' label indicates that exploitation began almost immediately upon public disclosure, giving defenders a minimal window to react. Organizations must prioritize this vulnerability for remediation based on the certainty of active exploitation, not on its quantitative scores.

Remediation & Defense

Investigate for signs of compromise immediately. Apply patches as soon as they become available from your specific Linux distribution or device vendor. Prioritize systems where unprivileged users have legitimate access.

Patch Status: Not available

Patch Version: Refer to vendor advisories from Linux distributions and downstream product manufacturers like QNAP.

Workarounds:

Restrict shell access for unprivileged users on multi-user systems.
Apply access controls to limit the attack surface for initial ingress.

Detection Hints:

Monitor for anomalous processes running with root privileges (UID 0) that were initiated by non-root user sessions.
Audit shell command history for suspicious commands executed by low-privilege users preceding a privilege escalation event.

Source Timeline

thehackernews.com — First reporter
cisa.gov — Official KEV confirmation
hkcert.org — Technical confirmation

CVE-2026-31431 linux qnap lpe kev exploit_wild