US government warns of severe CopyFail bug affecting major versions of Linux

A severe security vulnerability dubbed CopyFail affects almost every version of the Linux operating system. The U.S. government says the bug is now being exploited in the wild. The flaw, officially tracked as CVE-2026-31431, was discovered in Linux kernel versions 7.0 and earlier. The vulnerability was disclosed to the Linux kernel security team in late March and patched after about a week. Patches have not yet fully reached the many Linux distributions that rely on the vulnerable kernel. The CopyFail website says the same short Python script roots every Linux distribution shipped since 2017. According to security firm Theori, which discovered the bug, the vulnerability was verified in Red Hat Enterprise Linux 10.1, Ubuntu 24.04 LTS, Amazon Linux 2023, and SUSE 16. DevOps engineer Jorijn Schrijvershof wrote in a blog post that the exploit works on Debian and Fedora versions as well as Kubernetes. The affected kernel component does not copy certain data when it should, which corrupts sensitive data and allows an attacker to gain full access to the system. A regular user with limited access can gain full administrator access on an affected Linux system. The bug cannot be exploited over the internet on its own but can be chained with another vulnerability that works over the internet. It could also be delivered through a malicious link or attachment or through supply chain attacks in which actors plant malware in open source code. Given the risk to the federal enterprise network, the U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems