A serious security vulnerability that affects nearly every version of the Linux operating system has defenders scrambling to patch after security researchers publicly released exploit code that allows attackers to take full control of vulnerable systems.
The US government says the bug, called “CopyFail”, is now exploited in the wildmeaning it is actively used in malicious hacking campaigns.
the bug, officially tracked as CVE-2026-31431 and discovered in Linux kernel versions 7.0 and earlier, it was disclosed to the Linux kernel security team in late March and patched after about a week. But patches have yet to be fully rolled out on the many Linux distributions based on the vulnerable kernel, leaving any system running an affected version of Linux at risk of being compromised.
Linux is widely used in enterprise settings, running the computers that run many of the world’s data centers.
The CopyFail website says that the same short Python script “views every Linux distribution that has shipped since 2017.” According to security firm Theori, who discovered CopyFailthe vulnerability was verified in several widely used versions of Linux, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, as well as SUSE 16.
DevOps engineer and developer Jorijn Schrijvershof wrote in a blog post that the exploit works on Debian and Fedora versions, as well as Kubernetes, which is based on the Linux kernel. Schrijvershof described the bug as having an “unusually large blast radius” as it works in “almost every modern distribution” of Linux.
The bug is called CopyFail because the affected component in the Linux kernel, the operating system kernel that has almost full access to the entire device, doesn’t copy some data when it should. This destroys sensitive data within the kernel, allowing an attacker to piggyback the kernel’s access to the rest of the system, including its data.
If exploited, the flaw is particularly problematic because it allows a normal user with limited access to gain full administrative access to an affected Linux system. A successful compromise of a server in a data center could allow an attacker to gain access to every application, server, and database of multiple enterprise customers and potentially gain access to other systems on the same network or data center.
The CopyFail bug cannot be exploited on its own over the Internet, but can be weaponized if used in conjunction with an exploit that works over the Internet. According to Microsoftif the CopyFail error is linked to another Internet-deliverable vulnerability, an attacker could use the flaw to gain root access to an affected server. A user operating a Linux computer with a vulnerable kernel could also be tricked into opening a malicious link or attachment that triggers the vulnerability.
The bug could also be injected through supply chain attacks, where malicious actors hack into an open source developer’s account and plant the malware in their code in order to compromise a large number of devices in one go.
Given the risk to the federal enterprise network, the US cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
