Executive Summary
CISA added CVE-2026-31431 to KEV on 2026-05-01 with a due date of 2026-05-15 CISA KEV opens in a new tab. CISA describes it as a Linux kernel incorrect resource transfer vulnerability that can allow privilege escalation CISA KEV opens in a new tab.
Theori's Copy Fail research explains the root cause in the Linux crypto subsystem: an AF_ALG AEAD in-place optimization could place page-cache pages into a writable scatterlist, enabling an unprivileged write primitive against read-only file mappings under the right conditions Theori opens in a new tab. The upstream fix is commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5, which removes the in-place behavior in algif_aead Linux commit opens in a new tab.