CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

What’s new: CISA has added CVE-2026-31431, a critical local privilege escalation vulnerability affecting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The flaw, with a CVSS score of 7.8, allows unprivileged local users to gain root access by corrupting the kernel’s in-memory page cache. Fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

Who’s affected

Linux distributions shipped since 2017 are impacted by this vulnerability, which poses a significant risk in cloud and containerized environments. The flaw can be exploited by any unprivileged user on a vulnerable system, making it critical for organizations using affected Linux versions.

What to do

• Apply available patches for Linux kernel versions 6.18.22, 6.19.12, and 7.0 by May 15, 2026.
• If immediate patching is not possible, disable the affected feature, implement network isolation, and apply access controls to mitigate risks.

Sources

• The Hacker News