The US government warns of a serious flaw in CopyFail affecting major versions of Linux

A critical vulnerability affecting almost every version of the Linux operating system caught defenders off guard and they rushed to patch it after security researchers publicly released exploit code that allows attackers to take full control of vulnerable systems.

The US government says the vulnerability, dubbed “CopyFail”, is now being widely exploited, meaning it is being actively used in malicious hacking campaigns.

The bug, officially tracked as CVE-2026-31431 and discovered in Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel security team in late March, and was patched about a week later. But patches have not yet reached many Linux distributions that rely on the vulnerable kernel, leaving any system running an affected version of Linux at risk of being hacked.

Linux is widely used in enterprise settings, powering the computers that power much of the world’s data centers.

The CopyFail website says that the same short Python script “has rooted every Linux distribution shipped since 2017.” According to security firm Theori, which discovered CopyFail, the vulnerability has been verified in several widely used Linux versions including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023 as well as SUSE 16.

DevOps engineer and developer Jorijn Schrijvershof wrote in a blog post that the exploit works on versions of Debian and Fedora, as well as Kubernetes, which is based on the Linux kernel. Schrijvershof described the bug as having an “unusually large burst range” because it runs on “almost every modern distribution” of Linux.

The error is called CopyFail because the affected component of the Linux kernel, the core of the operating system that has full access to the entire device, does not copy certain data when it should. This corrupts sensitive data within the kernel, allowing an attacker to exploit the kernel’s access to the rest of the system, including its data.

If the bug is exploited, it is particularly problematic because it allows a regular user with limited access to gain full administrator access on the affected Linux system. Successful compromise of a server in a data center could allow an attacker to gain access to every application, server, and database of multiple enterprise customers, and potentially gain access to other systems on the same network or data center.

The CopyFail bug cannot be exploited online alone, but can be weaponized if used in conjunction with an exploit running online. According to Microsoft, if the CopyFail bug is interconnected with another vulnerability that can be communicated over the Internet, an attacker could use the flaw to gain root access to the affected server. A user running a Linux computer with a vulnerable kernel can also be tricked into opening a malicious link or attachment that triggers the vulnerability.

The bug can also be introduced via supply chain attacks, where malicious actors hijack an open source developer’s account and implant malware into their code in order to compromise a large number of devices at once.

Given the risks to the federal enterprise network, the US cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.