A serious security vulnerability affecting nearly every version of the Linux operating system has left defenders on alert and scrambling to patch after security researchers publicly released exploit code that allows attackers to take complete control of vulnerable systems.
The US government says the bug, called “CopyFail,” now exists. Malicious hackers are exploiting the forest, which means they are actively using it in their campaigns.
bug, Officially tracked as CVE-2026-31431 and discovered in Linux kernel versions 7.0 and earlier, reported to the security team for the Linux kernel in late March, and patched about a week later. But the patches have still not fully reached many Linux distributions that rely on the vulnerable kernel, leaving any system running an affected Linux version at risk of being compromised.
Linux widely powers the computers that run most of the world’s datacentres in enterprise settings.
The Copyfail website says the same small Python script “roots every Linux distribution shipped since 2017.”
According to security firm Theory, who discovered copyfair, the vulnerability was verified in several widely used versions of Linux, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), and Amazon Linux 2023, as well as SUSE 16.
In a blog post, DevOps engineer and developer Jorijn Schrijvershof wrote that this exploit works on Debian and Fedora editions, as well as Kubernetes, which relies on the Linux kernel. Schrijvershof described the bug as having an “unusually large blast radius” because it works on “almost every modern distribution” of Linux.
The bug is called copyfail because the affected component in the Linux kernel, the core of the operating system, which has full access to virtually the entire device, does not copy some data when it should do so. This corrupts sensitive data within the kernel, allowing the attacker to gain access to the rest of the system, including the kernel’s data.
If exploited, the bug is particularly problematic because it allows a regular, limited-access user to gain full-administrator access on an affected Linux system. A successful compromise of servers in a data centre could allow an attacker to gain access to every application, server, and database of multiple corporate customers, and potentially to other systems on the same network or data centre.
The CopyFail bug cannot be used alone on the Internet, but it can be weaponised when used in conjunction with an exploit that operates on the Internet. Per Microsoft, if the CopyFail bug is combined with another vulnerability that can be distributed over the Internet, an attacker could use the flaw to gain root access to an affected server. A user running a Linux computer with a vulnerable kernel could also trick themselves into opening a malicious link or attachment that triggers the vulnerability.
Bugs can also be injected through supply chain attacks, in which malicious actors hack into an open-source developer’s account and plant malware in their code to compromise a large number of devices at once.
Given the risk to federal enterprise networks, the US cybersecurity agency CISA ordered that all civilian federal agencies must fix any affected systems by May 15.
