CISA adds Linux CVE-2026-31431 to KEV

CISA’s decision to add Linux kernel flaw CVE-2026-31431 to its Known Exploited Vulnerabilities catalog put a local privilege-escalation bug into the U.S. government’s highest-priority remediation list for actively exploited software flaws. CISA said in a May 1 alert that it added the Linux issue to the catalog “based on evidence of active exploitation,” and described it as an incorrect resource transfer between spheres vulnerability in the Linux kernel. (cisa.gov) The KEV catalog is the agency’s running list of vulnerabilities it says are being exploited in the wild, and CISA says organizations should use it to prioritize patching. ### Why did this Linux bug draw attention again this week? (cisa.gov) June 2 posts from threat-intelligence accounts drew fresh attention to the KEV catalog after CISA’s latest updates included other enterprise software flaws, including Oracle WebLogic CVE-2024-21182 and Palo Alto Networks PAN-OS CVE-2026-0257. Those posts referenced the Linux kernel flaw alongside the newer KEV movements, but CISA’s own alert shows CVE-2026-31431 was added earlier, on May 1. CISA’s public KEV page shows the catalog is updated continuously rather than in a single monthly release. The agency says it maintains the list as the “authoritative source” of vulnerabilities known to be exploited in the wild. (cisa.gov) ### What exactly is CVE-2026-31431? CISA identified CVE-2026-31431 as a Linux kernel “Incorrect Resource Transfer Between Spheres” vulnerability. In practical terms, the KEV listing places it in the category of flaws that can be used for privilege escalation on affected systems, which is why it is treated as urgent for remediation once exploitation is confirmed. The agency’s May 1 alert did not publish exploit details in the notice itself. (cisa.gov) CISA’s KEV process, however, is tied to evidence of real-world exploitation, not just vendor disclosure or proof-of-concept availability. (cisa.gov) ### Which other flaws are now in the same KEV cluster? CISA on June 1 added Oracle WebLogic Server flaw CVE-2024-21182 to the KEV catalog, describing it as an unspecified vulnerability in WebLogic Server. Oracle’s own security-advisory mapping page says customers should apply the latest security update for protection against known vulnerabilities. (cisa.gov) CISA on May 29 added Palo Alto Networks PAN-OS flaw CVE-2026-0257, which Palo Alto describes as an authentication-bypass issue in GlobalProtect portal and gateway components. Palo Alto said the issue can allow an attacker to establish an unauthorized VPN connection, and said it had become aware of limited exploit attempts on unpatched devices without mitigations applied. (cisa.gov) Microsoft’s own advisories show CVE-2026-41091 is a Microsoft Defender elevation-of-privilege vulnerability and CVE-2026-45498 is a Microsoft Defender denial-of-service vulnerability. Both advisories say customer action is required to resolve them. (cisa.gov) ### What does a KEV addition require agencies to do? Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities by the due dates CISA assigns. CISA says the directive applies to federal civilian agencies, but it also urges all organizations to prioritize KEV flaws in their vulnerability-management programs. (cisa.gov) CISA’s catalog page says the KEV list is meant to help defenders keep pace with threat activity and should be used as an input into prioritization frameworks rather than as a complete patching program by itself. ### Where should defenders look next? (msrc.microsoft.com) CISA’s KEV catalog page is the public record for additions, due dates and linked references for each vulnerability. Vendor advisories for Linux distributions, Microsoft Defender, Oracle WebLogic and Palo Alto PAN-OS remain the next source for product-specific patches and mitigation steps. (cisa.gov 1) (cisa.gov 2)