A serious security vulnerability affecting nearly all versions of the Linux operating system has caught defenders off guard and scrambling to patch it after security researchers published exploit code that gave attackers complete control over vulnerable systems.
The U.S. government says the bug, called “CopyFail,” is currently being exploited and actively used in malicious hacking operations.
The bug, officially tracked as CVE-2026-31431, was discovered in Linux kernel versions 7.0 and earlier, disclosed to the Linux kernel security team in late March, and patched about a week later. However, many Linux distributions that rely on vulnerable kernels are not yet fully patched, leaving systems running affected Linux versions at risk of compromise.
Linux is widely used in corporate environments, running the computers that power many of the world’s data centers.
The CopyFail website states that the same short Python script “roots any Linux distribution shipped since 2017.” According to Theori, the security firm that discovered CopyFail, the vulnerability was found in several widely used versions of Linux, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.
DevOps engineer and developer Jorijn Schrijvershof wrote in a blog post that the exploit works on Debian and Fedora versions, as well as Kubernetes, which relies on the Linux kernel. Schrijvershof explained that the bug works on “almost all modern distributions” of Linux, giving it an “unusually large explosion radius.”
The bug is called “CopyFail” because the affected component within the Linux kernel, the core of the operating system that has virtually complete access to the entire device, does not copy certain data when it should. This corrupts sensitive data within the kernel and allows an attacker to piggyback on the kernel’s access to the rest of the system, including the kernel’s data.
This bug is particularly problematic because it allows normal users with limited access to gain full administrative access on affected Linux systems. A successful compromise of a server within a data center could give an attacker access to all applications, servers, and databases for a large number of enterprise customers, and potentially access other systems on the same network or data center.
Although the CopyFail bug cannot be exploited alone over the Internet, it can be weaponized when used in conjunction with exploits that work over the Internet. According to Microsoft, if the CopyFail bug is chained with another vulnerability distributed over the Internet, an attacker could use the flaw to gain root access to an affected server. Users operating Linux computers with vulnerable kernels could also be tricked into opening malicious links or attachments that trigger vulnerabilities.
This bug can also be injected through a supply chain attack. In this attack, a malicious attacker hacks into an open source developer’s account and injects malware into the code, compromising large numbers of devices at once.
Given the risks to federal corporate networks, US cybersecurity agency CISA has ordered all civilian federal agencies to patch affected systems by May 15th.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
