CVE-2026-31431 in Linux Kernel: Actively Exploited Zero-Day Added to CISA KEV

📅 May 07, 2026 🔴 Exploit Risk: 0.205 📊 Intelligence Score: 51/100 📰 3 sources synthesized

TL;DR — Read this first

CVE-2026-31431, named 'Copy Fail', is a vulnerability in the Linux Kernel, with Debian confirmed to be affected.
CONFIRMED exploitation in the wild. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-01.
Immediate action required: Patch all affected systems. Prioritize based on KEV status, which overrides all other risk metrics.

Intelligence Metadata

First Reported Byunit42.paloaltonetworks.com

Outbreak Velocity1170 minutes to 3 unique domains

Consensus3 sources across 3 unique domains

CVSS ScoreNot available

EPSS Score0.01228 (1.23rd percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2049

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-31431, designated 'Copy Fail', is a vulnerability within the Linux Kernel. While specific technical details of the exploit chain are not available in the provided intelligence, the name suggests a flaw in a memory copy operation, potentially leading to a buffer overflow or memory corruption. Such vulnerabilities in the kernel are typically leveraged for Local Privilege Escalation (LPE), allowing an attacker with initial low-privilege access to gain root-level permissions on the affected host.

The inclusion in the CISA KEV catalog confirms active exploitation, indicating that a functional exploit exists and is being used by threat actors. The lack of a public CVSS score combined with its KEV status is a strong indicator of a zero-day vulnerability that was exploited before a formal public disclosure and analysis could be completed.

Affected Systems

Vendor: Linux

Affected Versions:

Debian Linux Kernel (specific versions not provided)

Exposure: Requires local access. This is primarily a Local Privilege Escalation (LPE) vulnerability, used by an attacker after gaining an initial foothold on a system.

Blast Radius: High. Debian is a widely used Linux distribution for servers and workstations. Other Linux distributions may also be affected, but this is not yet confirmed.

Intelligence Context

The threat profile for CVE-2026-31431 is driven entirely by its CONFIRMED exploitation status. Its addition to the CISA KEV catalog on 2026-05-01 is the single most important data point for prioritization. The EPSS score of 1.23% is currently low, which is typical for newly disclosed zero-days before widespread scanning and exploitation tooling becomes public. Defenders must ignore the low EPSS and absent CVSS score; the KEV listing is a direct mandate for immediate action. The 'ZERO-DAY RACE' label accurately reflects the situation where defenders are patching against an active, ongoing threat.

Remediation & Defense

Patch immediately. This vulnerability meets the criteria for emergency patching procedures due to active exploitation.

Patch Status: Available

Patch Version: Refer to official Debian Security Advisories (DSA) for patched kernel versions.

Workarounds:

Not available. Patching is the only specified mitigation.

Detection Hints:

Monitor for anomalous system calls or kernel log messages (dmesg) related to memory errors.
Monitor for unexpected processes running with root/SYSTEM privileges, especially those spawned from low-privilege user accounts.

Source Timeline

unit42.paloaltonetworks.com — First reporter
hkcert.org — Advisory confirmation
cisa.gov/kev — Official exploitation confirmation

CVE-2026-31431 Linux Debian Kernel KEV Zero-Day LPE