US Government Warns of Severe Linux CopyFail Bug
▼ Summary
– The CopyFail vulnerability (CVE-2026-31431) affects nearly all Linux kernel versions 7.0 and earlier, allowing attackers to gain complete control of vulnerable systems.
– The U.S. government confirmed the bug is being actively exploited in the wild, and CISA ordered federal agencies to patch by May 15.
– The bug corrupts kernel data by failing to copy certain information, enabling a regular user to gain full administrator access on an affected system.
– Patches were released about a week after disclosure in late March, but many Linux distributions remain unpatched, leaving systems at risk.
– CopyFail cannot be exploited over the internet alone but can be combined with another vulnerability for remote attacks, and it poses risks through supply chain attacks.
A critical security flaw in the Linux operating system has sent administrators scrambling for patches after researchers released exploit code that grants attackers unrestricted control over vulnerable machines. The vulnerability, which affects nearly all versions of Linux, is now under active exploitation, according to an official warning from the U.S. government.
Tracked as CVE-2026-31431, the bug has been nicknamed CopyFail. It was first reported to the Linux kernel security team in late March and patched roughly a week later. However, those fixes have not yet reached many major Linux distributions, leaving systems running affected kernels exposed. The flaw impacts Linux kernel versions 7.0 and earlier, meaning any device running an unpatched version is at risk.
Linux powers the vast majority of the world’s datacenters, making this vulnerability a serious enterprise concern. According to the CopyFail website, a short Python script can “root every Linux distribution shipped since 2017.” Security firm Theori, which discovered the bug, confirmed it works on widely used distributions including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.
Developer and devops engineer Jorijn Schrijvershof noted in a blog post that the exploit also functions on Debian and Fedora, as well as Kubernetes, which relies on the Linux kernel. He described the bug as having an “unusually big blast radius,” affecting “nearly every modern distribution” of Linux.
The name CopyFail comes from the kernel’s failure to properly copy certain data. This corruption allows an attacker to hijack the kernel’s nearly unrestricted access to the system, including its data. The exploit is particularly dangerous because it lets a regular, limited-access user escalate privileges to full administrator (root) access. A successful compromise of a single server in a datacenter could give an attacker access to applications, databases, and other systems belonging to numerous corporate clients.
The CopyFail bug cannot be exploited directly over the internet on its own. However, it can be weaponized when chained with another internet-based exploit. According to Microsoft, an attacker could combine CopyFail with a remotely delivered vulnerability to gain root access to an affected server. A Linux user could also be tricked into clicking a malicious link or opening an infected attachment to trigger the flaw.
The vulnerability also poses a risk through supply chain attacks. Malicious actors could compromise an open source developer’s account and inject the exploit into their code, compromising many devices at once.
In response to the threat, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all civilian federal agencies to patch affected systems by May 15.
(Source: TechCrunch)
