CVE-2026-31431

Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431)

Privilege Escalation Defense Evasion Persistence Last updated:

CVE-2026-31431 is a Linux Kernel vulnerability classified as CWE-669 (Incorrect Resource Transfer Between Spheres). The flaw allows improper transfer of resources across security boundaries within the kernel, potentially enabling privilege escalation or unauthorized memory access. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers with local access may exploit this to escalate privileges to root or escape container boundaries.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Linux
Product
Kernel

Weakness (CWE)

CWE-669

Timeline

Disclosed
May 1, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431)?

Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431) (CVE-2026-31431) maps to the Privilege Escalation and Defense Evasion and Persistence tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431), covering the data sources and telemetry it touches: Syslog, SecurityEvent, CommonSecurityLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Persistence
Microsoft Sentinel / Defender
kusto 
union SecurityEvent, Syslog
| where TimeGenerated > ago(7d)
| where (EventID in (4688, 4689) and (CommandLine has_any ("exploit", "privesc", "lpe")) ) 
    or (Facility =~ "kern" and SyslogMessage has_any ("copy_to_user", "copy_from_user", "__copy_overflow", "kernel memory", "BUG:", "general protection fault", "use-after-free"))
| extend HostCustomEntity = Computer, AccountCustomEntity = Account
| project TimeGenerated, Computer, Account, EventID, CommandLine, SyslogMessage, _ResourceId
| order by TimeGenerated desc

Detects Linux kernel messages and process events indicative of CVE-2026-31431 exploitation — specifically kernel copy faults, memory boundary violations, and privilege escalation attempts on Linux hosts reporting to Microsoft Sentinel via Syslog or AMA.

critical severity medium confidence

Data Sources

Syslog SecurityEvent CommonSecurityLog

Required Tables

Syslog SecurityEvent

False Positives

  • Legitimate kernel debugging sessions generating BUG or fault messages during development
  • Stress testing or fuzzing tools running in CI/CD environments producing kernel error messages
  • Automated patch verification scripts that trigger controlled kernel error conditions

Sigma rule & cross-platform mapping

The detection logic for Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431) (CVE-2026-31431) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-31431 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-31431

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate kernel copy boundary fault via /proc/kcore read attempt

    Expected signal: Kernel message in dmesg showing access denial or fault; audit log SYSCALL record for 'open' or 'read' on /proc/kcore by non-root UID; possible kernel warning message about unauthorized memory access attempt

  2. Test 2Privilege escalation simulation via SUID binary abuse on unpatched kernel

    Expected signal: Audit log SYSCALL record showing execve of test_suid with uid!=0 but euid=0; EDR process event showing SUID execution; possible AppArmor/SELinux denial log if MAC policy is enforced

  3. Test 3Container escape boundary test via /proc/sysrq-trigger probe

    Expected signal: Host kernel log entries showing container namespace probe attempts; Docker daemon log entries for the test container; audit log entries showing file access attempts to /dev/mem or /proc/1/ from container process

Unlock Pro Content

Get the full detection package for CVE-2026-31431 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0003Persistence

Related Techniques

T1068Exploitation for Privilege EscalationT1611Escape to HostT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections