US government warns of severe CopyFail bug affecting major versions of Linux
Source: TechCrunch
Overview
A severe security vulnerability affecting almost every version of the Linux operating system has caught defenders off‑guard and scrambling to patch after security researchers publicly released exploit code that allows attackers to take complete control of vulnerable systems. The U.S. government says the bug, dubbed CopyFail, is now being exploited in the wild, meaning it’s actively used in malicious hacking campaigns.
The bug, officially tracked as CVE‑2026‑31431 and discovered in Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel security team in late March and patched after about a week. However, the patches have yet to fully trickle down to the many Linux distributions that rely on the vulnerable kernel, leaving any system running an affected Linux version at risk of compromise.
Affected Distributions
The CopyFail website states that a short Python script “roots every Linux distribution shipped since 2017.” Security firm Theori, which discovered CopyFail, verified the vulnerability in several widely used versions, including:
- Red Hat Enterprise Linux 10.1
- Ubuntu 24.04 (LTS)
- Amazon Linux 2023
- SUSE 16
DevOps engineer Jorijn Schrijvershof noted in a blog post that the exploit also works on Debian, Fedora, and Kubernetes, which relies on the Linux kernel. He described the bug as having an “unusually big blast radius” because it works on “nearly every modern distribution” of Linux.
Technical Details
The bug is called CopyFail because the affected component in the Linux kernel fails to copy certain data when it should. This corruption allows an attacker to piggyback on the kernel’s virtually complete access to the device, granting the ability to manipulate sensitive data and elevate privileges.
If exploited, the bug enables a regular, limited‑access user to gain full‑administrator (root) access on an affected system. A compromised server in a data center could give an attacker access to every application, server, and database of numerous corporate customers, and potentially to other systems on the same network.
The CopyFail bug cannot be exploited over the internet on its own, but it can be weaponized when chained with an internet‑deliverable exploit. According to Microsoft, such chaining could allow an attacker to gain root access to an affected server. Additionally, a user could be tricked into opening a malicious link or attachment that triggers the vulnerability.
Supply‑chain attacks are another vector: malicious actors could compromise an open‑source developer’s account and inject the exploit into widely distributed code, compromising many devices at once.
Impact
Given the bug’s ability to grant root privileges from a low‑privilege account, the potential impact on federal enterprise networks and commercial data centers is significant. A successful compromise could expose sensitive corporate data, disrupt services, and facilitate further lateral movement within a network.
Mitigation and Recommendations
U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15. Organizations should:
- Verify kernel versions and apply the latest security patches from their distribution vendors.
- Monitor for any indicators of compromise related to the CopyFail exploit.
- Review and harden remote‑access configurations to reduce the risk of chaining exploits.
- Employ supply‑chain security best practices, such as code‑signing verification and restricted access to source repositories.
Prompt patching and vigilant monitoring are essential to mitigate the risk posed by CVE‑2026‑31431.