A critical security flaw affecting nearly all versions of the Linux operating system has left cybersecurity teams rushing to respond after researchers released exploit code that enables attackers to fully compromise affected systems.
The United States government has confirmed that the vulnerability, known as “CopyFail,” is already being actively exploited in real-world attacks, with hackers using it in ongoing malicious campaigns.
The bug, officially tracked as CVE-2026-31431 and affecting Linux kernel versions 7.0 and earlier, was reported to the Linux kernel security team in late March and patched roughly a week later.
However, those fixes have not yet fully reached the wide range of Linux distributions built on the affected kernel, leaving many systems still exposed.
Linux is extensively used in enterprise environments and powers much of the world’s data center infrastructure, making the vulnerability a significant concern for organizations that rely on it.
The CopyFail website claims that a short Python script can “root every Linux distribution shipped since 2017.”
Security firm Theori, which identified the vulnerability, confirmed it was successfully tested across several major Linux systems, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.
DevOps engineer Jorijn Schrijvershof also noted in a blog post that the exploit appears to work on Debian and Fedora-based systems, as well as Kubernetes environments, which depend on the Linux kernel.
Schrijvershof said the vulnerability has an “unusually big blast radius,” affecting what appears to be “nearly every modern distribution” of Linux.
The issue, dubbed CopyFail, lies in a Linux kernel component—the central part of the operating system with almost full control over a device, where specific data is not copied when it should be.
This results in corruption of sensitive kernel data, which attackers can then exploit to ride on the kernel’s high-level privileges and gain access to the wider system, including its data.
If exploited, the vulnerability is especially dangerous because it can let a standard, low-privilege user escalate to full administrative control on an affected Linux system.
A successful breach of a single data center server could enable an attacker to access a wide range of resources, including applications, servers, and databases belonging to multiple corporate customers. From there, they could potentially move laterally to other systems within the same network or data center, expanding the scope of the compromise.
In response to the risk posed to federal enterprise networks, the U.S. cybersecurity agency CISA has directed all civilian federal agencies to apply patches to any affected systems by May 15.
