CISA warns of active exploitation of severe CopyFail vulnerability in major Linux distributions
Security firm Theori confirms the bug affects Red Hat, Ubuntu and other enterprise systems, though the exploit requires chaining with other vulnerabilities or social engineering tactics.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert that the CopyFail vulnerability, tracked as CVE-2026-31431, is currently being actively exploited in malicious hacking campaigns. This flaw targets kernel versions 7.0 and earlier, posing a severe risk to enterprise servers and data centres globally that rely on the Linux operating system. While a patch was developed and released in late March, it has not yet fully propagated across all major Linux distributions, leaving many systems exposed to compromise.
The vulnerability allows a user with limited access to escalate privileges to full administrator control by corrupting sensitive kernel data. Security firm Theori verified that the exploit functions on widely used distributions including Red Hat Enterprise Linux 10.1, Ubuntu 24.04, Amazon Linux 2023, SUSE 16, Debian, Fedora, and Kubernetes. DevOps engineer Jorijn Schrijvershof described the bug as having an unusually big blast radius, noting that it works on nearly every modern distribution of Linux shipped since 2017.
Despite the severity of the flaw, the CopyFail bug cannot be triggered remotely over the internet on its own. To be weaponised, the vulnerability must be chained with another internet-deliverable vulnerability or combined with social engineering tactics such as malicious links or attachments. Supply chain attacks, where malicious actors inject malware into open source code, also present a vector for exploitation. This limitation means the threat relies on specific conditions being met by an attacker to gain root access to an affected server.
The core of the operating system fails to copy certain data as intended, corrupting sensitive information within the kernel. This failure allows an attacker to piggyback on the kernel's high-level access to the rest of the system, including data, applications, and databases. A successful compromise of a server in a data centre could grant an attacker access to numerous corporate customers and potentially other systems on the same network, creating a significant risk for the federal enterprise network and beyond.
Given the critical nature of the threat to civilian federal agencies, CISA has mandated that all affected systems must be patched by 15 May. This deadline underscores the urgency for organisations to ensure their Linux environments are updated, particularly as the fix has not yet fully reached all distributions despite being publicly disclosed in late March. The gap between the release of the patch and its widespread adoption leaves a window of opportunity for active exploitation.
