The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a rare “severe” alert for a Linux kernel vulnerability, tracked as CVE-2026-31431 and dubbed “CopyFail,” that is now being actively exploited in the wild. The bug affects Linux kernel versions 7.0 and earlier, and the agency has ordered all civilian federal agencies to patch affected systems by May 15. [TechCrunch]
What CopyFail does
The vulnerability resides in the kernel’s copy_from_user() syscall. Under certain conditions, the kernel fails to copy data correctly, leading to memory corruption. An attacker with limited user access can exploit this to gain full root (administrator) privileges on the affected system. The CopyFail website claims that a single short Python script “roots every Linux distribution shipped since 2017.” [TechCrunch]
Affected distributions
Security firm Theori, which discovered the bug, verified the vulnerability in several widely used Linux distributions: Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16. DevOps engineer Jorijn Schrijvershof confirmed in a blog post that the exploit also works on Debian and Fedora, as well as on Kubernetes, which relies on the Linux kernel. Schrijvershof described the bug as having an “unusually big blast radius” because it affects “nearly every modern distribution” of Linux. [TechCrunch]
How it can be exploited
CopyFail cannot be exploited over the internet on its own. However, according to Microsoft, if chained together with another vulnerability that can be delivered over the internet, an attacker could use the flaw to gain root access to an affected server. A user operating a Linux computer with a vulnerable kernel could also be tricked into opening a malicious link or attachment that triggers the vulnerability. The bug could also be injected via supply-chain attacks, where malicious actors compromise an open-source developer’s account and plant the malware in their code. [TechCrunch]
Impact on datacenters and cloud workloads
Linux is widely used in enterprise settings, running the computers that operate much of the world’s datacenters. A successful compromise of a server in a datacenter could allow an attacker to gain access to every application, server, and database of numerous corporate customers, and potentially gain access to other systems on the same network or datacenter. [TechCrunch]
Patching status
The bug was disclosed to the Linux kernel security team in late March and patched after about a week. However, the patches have yet to fully trickle down to the many Linux distributions that rely on the