U.S. government warns of severe CopyFail bug affecting major versions of Linux

A terrible information vulnerability affecting astir each mentation of the Linux operating strategy has caught defenders off-guard and scrambling to spot aft information researchers publically released exploit codification that allows attackers to instrumentality implicit power of susceptible systems.

The U.S. authorities says the bug, dubbed “CopyFail,” is now being exploited successful the wild, meaning it’s being actively utilized successful malicious hacking campaigns.

The bug, officially tracked arsenic CVE-2026-31431 and discovered successful Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel information squad successful precocious March, and patched aft astir a week. But the patches person yet to afloat trickle down to the galore Linux distributions that trust connected the susceptible kernel, leaving immoderate strategy moving an affected Linux mentation astatine hazard of compromise.

Linux is wide utilized successful endeavor settings, moving the computers that run overmuch of the world’s datacenters. 

The CopyFail website says that the aforesaid abbreviated Python publication “roots each Linux organisation shipped since 2017.”  According to information steadfast Theori, which discovered CopyFail, the vulnerability was verified successful respective wide utilized versions of Linux including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, arsenic good arsenic SUSE 16. 

Devops technologist and developer Jorijn Schrijvershof wrote in a blog post that the exploit works connected Debian and Fedora versions, arsenic good arsenic Kubernetes, which relies connected the Linux kernel. Schrijvershof described the bug arsenic having an “unusually large blast radius” arsenic it works connected “nearly each modern distribution” of Linux.

The bug is called CopyFail due to the fact that the affected constituent successful the Linux kernel, the halfway of the operating strategy that has virtually implicit entree to the full device, does not transcript definite information erstwhile it should. This corrupts delicate information wrong the kernel, allowing the attacker to piggyback the kernel’s entree to the remainder of the system, including its data.

If exploited, the bug is peculiarly problematic due to the fact that it allows a regular, limited-access idiosyncratic to summation full-administrator entree connected an affected Linux system. A palmy compromise of a server successful a datacenter could let an attacker to summation entree to each application, server, and database of galore firm customers, and perchance summation entree to different systems connected the aforesaid web oregon datacenter.

The CopyFail bug cannot beryllium exploited implicit the net connected its own, but tin beryllium weaponized if utilized successful conjunction with an exploit that works implicit the internet. Per Microsoft, if the CopyFail bug is chained unneurotic with different vulnerability that tin beryllium delivered implicit the internet, an attacker could usage the flaw to summation basal entree to an affected server. A idiosyncratic operating a Linux machine with a susceptible kernel could besides beryllium tricked into opening a malicious nexus oregon attachment that triggers the vulnerability.

The bug could besides beryllium injected by mode of proviso concatenation attacks, successful which malicious actors hack into an unfastened root developer’s relationship and works the malware successful their codification successful bid to compromise a ample fig of devices successful 1 go.

Given the hazard to the national endeavor network, U.S. cybersecurity bureau CISA has ordered each civilian national agencies to spot immoderate affected systems by May 15.