ICSAP Analysis Report | ICSAP-AN-26-001 - Read full report at : https://drive.google.com/file/d/1v5RWBFT0cHFUDkUhM0enwh3t1PdOGVcv/viewReading Between the Advisories: Linux Kernel CVE-2026-31431 in the ICS EcosystemCVE-2026-31431 ("Copy Fail") was added to CISA's KEV Catalog on May 1. Theori's Xint Code research team disclosed it on April 29. It's a 9-year-old logic flaw in the Linux kernel's algif_aead module that lets any unprivileged local user escalate to root using a 732-byte Python script. The same exploit works on Ubuntu, Amazon Linux, RHEL, and SUSE without modification.The mainstream security community has covered this well. What hasn't been written is the ICS angle.We reviewed both the CISA ICS Advisory dataset (3,800 advisories since 2010) and the ICS[AP] Other CERT and Vendor ICS Advisories dataset (12,468 advisories) to see which industrial control system products have documented Linux exposure to this CVE.Three observations:Only 0.8% of CISA ICS advisories have ever explicitly mentioned Linux, the kernel, or embedded Linux components. Across 3,800 advisories, only two disclose a specific kernel version, and both are end-of-life branches.Schneider Electric (234 CISA advisories, zero Linux mentions), Rockwell Automation (246, zero), Mitsubishi Electric (119, zero), Hitachi Energy (103, zero), and Moxa (53, zero) have published nothing about Linux in their CISA advisory text, despite shipping Linux-based product lines per their own technical documentation.Container escape applies. CODESYS Control containers, Advantech IoTSuite Edge dockers, Bosch Rexroth ctrlX CORE container apps, and similar containerized industrial edge platforms are subject to the container-breakout behavior identified in Microsoft Defender's published analysis.Asset owners cannot rely on advisory text to assess exposure. Direct vendor PSIRT engagement is the only defensible path. As of publication, no major ICS vendor has published a CVE-2026-31431-specific advisory.ICSAP-AN-26-001 is the inaugural ICSAP Analysis Report. It covers the CVE technical mechanism with primary-source attribution to Theori, a Tier 1A list of 16 ICS product lines with documented Linux exposure, a Tier 2 list of 14 vendors whose Linux products do not surface in advisory text, and practitioner guidance for the next four to six weeks.Read the full report at icsadvisoryproject.com.#ICS #OTSecurity #CriticalInfrastructure #LinuxKernel #CopyFail #VulnerabilityManagement
