Critical Linux CopyFail Vulnerability Being Actively Exploited in the Wild
A severe Linux kernel vulnerability called CopyFail (CVE-2026-31431) is now being exploited in active hacking campaigns, allowing unprivileged users to gain full root access on systems. The U.S. government has warned of the bug's active exploitation and ordered federal agencies to patch by May 15.
Critical Linux Security Alert
The U.S. government says the bug, dubbed "CopyFail," is now being exploited in the wild, meaning it's being actively used in malicious hacking campaigns. The bug, officially tracked as CVE-2026-31431 and discovered in Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel security team in late March, and patched after about a week.
Technical Details
The bug is called CopyFail because the affected component in the Linux kernel, the core of the operating system that has virtually complete access to the entire device, does not copy certain data when it should. This corrupts sensitive data within the kernel, allowing the attacker to piggyback the kernel's access to the rest of the system, including its data. If exploited, the bug is particularly problematic because it allows a regular, limited-access user to gain full-administrator access on an affected Linux system.
Impact & Scale
The exploit is "100% reliable" and functions without modification across multiple major Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Given the risk to the federal enterprise network, U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
Why It Matters
The patches have yet to fully trickle down to the many Linux distributions that rely on the vulnerable kernel, leaving any system running an affected Linux version at risk of compromise.