CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a critical Linux kernel privilege escalation vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which affects multiple Linux distributions including Ubuntu, Debian, and Red Hat Enterprise Linux, allows authenticated local attackers to gain root access on vulnerable systems. CISA has issued a binding operational directive requiring Federal Civilian Executive Branch agencies to remediate the vulnerability by the agency-specified deadline.

Security researchers have confirmed active exploitation of this vulnerability in real-world attacks, with threat actors leveraging the flaw to escalate privileges on compromised Linux servers and cloud infrastructure. The vulnerability resides in a specific component of the Linux kernel's networking subsystem, enabling attackers to execute arbitrary code with kernel-level privileges. Organizations running unpatched Linux systems are at immediate risk of complete system compromise.

This addition to the KEV catalog underscores the persistent threat posed by unpatched Linux vulnerabilities in enterprise environments. Security teams should immediately audit their Linux deployments, apply available patches, and implement mitigation measures. CISA's inclusion of this vulnerability in the KEV catalog indicates confirmed evidence of exploitation and serves as a critical alert for organizations to prioritize remediation efforts.