April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.

March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.

March 2, 2026 Large international steel company chooses eBuilders Complorer for cybersecurity training.

March 2, 2026 Large international steel company chooses eBuilder as supplier for Penetration testing.

March 2, 2026 A communications/branding agency chooses eBuilders Complorer for cybersecurity training.

February 13, 2026 eBuilder Security signs an agreement for continuous pen testing with a Swedish AI-company.

February 11, 2026 eBuilder Security sells Complorer Security Awareness training to a Swedish unemployment insurance fund.

January 30, 2026 eBuilder sigs an agreement with a Swedish municipality for MDR/SOC.

April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.

March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.

March 2, 2026 Large international steel company chooses eBuilders Complorer for cybersecurity training.

March 2, 2026 Large international steel company chooses eBuilder as supplier for Penetration testing.

March 2, 2026 A communications/branding agency chooses eBuilders Complorer for cybersecurity training.

February 13, 2026 eBuilder Security signs an agreement for continuous pen testing with a Swedish AI-company.

February 11, 2026 eBuilder Security sells Complorer Security Awareness training to a Swedish unemployment insurance fund.

January 30, 2026 eBuilder sigs an agreement with a Swedish municipality for MDR/SOC.

Company News

Data Breaches

CISA Fast-Tracks Nine-Year-Old Linux Root Bug to Known Exploited List

Blog Reading Time

4 Min Read / May 4, 2026

CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on Friday confirming that a nine-year-old Linux kernel flaw is being exploited in live attacks. The vulnerability, dubbed Copy Fail by researchers at Theori and Xint, carries a CVSS score of 7.8 and lets any local user escalate to root privileges through a 732-byte Python script that works unchanged across every major Linux distribution since 2017.

Federal agencies have until 15 May 2026 to apply patches under Binding Operational Directive 22-01. That timeline reflects CISA’s assessment that Copy Fail poses immediate risk to government systems despite being a local privilege escalation rather than a remote code execution flaw.

The Exploit Needs No Kernel Offsets or Race Conditions

Copy Fail is unusual among Linux kernel exploits because it requires no timing windows, kernel version fingerprinting or distribution-specific offsets. According to Microsoft Defender’s analysis, the flaw sits in the algif_aead module where an in-place optimization causes source and destination scatterlists to point at the same page-cache folio. When the kernel performs AEAD decryption, it writes 4 bytes past the output buffer into live shared memory.

The attacker controls those 4 bytes through the associated data length field in the AEAD control message. Repeated across a setuid binary’s text section, this overwrites the entry point with shellcode that calls setresuid(0,0,0) before spawning a root shell. The modification exists only in the page cache while the file on disk remains unchanged, making detection through traditional file integrity tools ineffective.

Kaspersky’s assessment captures why this matters for enterprise environments: “Exploitation does not require the use of complex techniques such as race conditions or memory address guessing, lowering the barrier to entry for potential attackers.”

Container Environments Are the Primary Target

Microsoft Defender is “seeing preliminary testing activity” that suggests increased threat actor exploitation in coming days. The company’s research team noted that while Copy Fail is not remotely exploitable alone, it becomes “highly impactful when chained with initial access vectors such as secure shell access, malicious CI job execution and container footholds.”

Container isolation is particularly vulnerable because Docker, LXC and Kubernetes give processes inside containers access to the AF_ALG subsystem by default if the algif_aead module is loaded on the host kernel. That configuration lets Copy Fail break container boundaries and compromise the underlying physical machine.

The flaw affects millions of Kubernetes clusters and a significant portion of cloud Linux workloads, according to Microsoft’s assessment. Even Windows Subsystem for Linux users are not immune, WSL2 runs a real Linux kernel that can be compromised through Copy Fail with Microsoft confirming it will deliver an updated WSL2 kernel through Windows Update as part of May 2026 Patch Tuesday.

Nordic Cloud Providers Should Act This Week

Nordic technology companies running Linux infrastructure should verify kernel versions immediately. Major distributions including Red Hat, SUSE, Ubuntu and AWS Linux are affected. Fixes are available in kernel versions 6.18.22, 6.19.12 and 7.0, though some distributions including Red Hat Enterprise Linux and older Ubuntu releases had not shipped patches as of 2 May.

If immediate patching is not possible, disable the algif_aead module entirely. The CISA advisory recommends this as an interim mitigation, though it only works if applications do not legitimately require the affected cryptographic functionality. Organizations should also implement seccomp rules that block AF_ALG socket creation and enforce rapid node recycling in containerized environments after any compromise indicators.

The window for mitigation is narrowing. Go and Rust versions of the original Python exploit have already appeared in public repositories according to Kaspersky, suggesting threat actors are adapting the proof-of-concept for production use.

References

This post is also available in: Svenska