US government warns of critical CopyFail vulnerability impacting major Linux versions

A major security flaw affecting nearly all versions of the Linux operating system has taken defenders by surprise, as security researchers released public exploit code that allows attackers to gain full control over affected systems. The disclosure has triggered urgent patching efforts across organisations worldwide.

The U.S. government has confirmed that the vulnerability, known as CopyFail, is already being exploited in real-world attacks, indicating that threat actors are actively using it in ongoing hacking campaigns.

Formally tracked as CVE-2026-31431, the issue was identified in Linux kernel versions 7.0 and earlier. It was reported to the Linux kernel security team in late March and patched roughly a week later. However, those fixes have not yet fully propagated across the many Linux distributions that depend on the affected kernel, leaving numerous systems still exposed.

Linux plays a critical role in enterprise environments, powering a vast portion of global data centre infrastructure. The system's widespread use increases the vulnerability's potential impact. According to the CopyFail website, a short Python script can "root every Linux distribution shipped since 2017." The vulnerability was discovered by Theori, which confirmed its presence across several major Linux distributions, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.

DevOps engineer and developer Jorijn Schrijvershof further noted in a blog post that the exploit is also effective against Debian and Fedora distributions, as well as Kubernetes environments that rely on the Linux kernel. He described the vulnerability as having an "unusually big blast radius," impacting "nearly every modern distribution" of Linux.

The flaw is named CopyFail because it stems from a failure in the Linux kernel — the core component of the operating system — to copy certain data properly. This flaw leads to corruption of sensitive kernel data, which attackers can exploit to escalate privileges and gain access to the broader system.

If successfully exploited, the vulnerability allows a user with limited permissions to escalate privileges and obtain full administrative (root) access. In a data centre context, this could enable attackers to access applications, servers, and databases belonging to multiple organisations and potentially move laterally across networks.

Although the vulnerability cannot be directly exploited over the internet on its own, it becomes highly dangerous when combined with other attack methods. Microsoft noted that if CopyFail is chained with a separate internet-exploitable vulnerability, attackers could use it to achieve full system compromise. Additionally, users could unknowingly trigger the exploit by opening malicious links or attachments.

The vulnerability also poses a risk through supply chain attacks, in which attackers compromise open-source developer accounts and inject malicious code into widely distributed software, enabling large-scale system compromises.

Due to the severity of the threat, the Cybersecurity and Infrastructure Security Agency (CISA) has directed all civilian federal agencies to patch affected systems by May 15, emphasising the urgency of mitigation efforts.