A new Linux vulnerability called “CopyFail” has led to a warning from the U.S. government, after officials confirmed that attackers are already using it.
This flaw, tracked as CVE-2026-31431, affects Linux kernel versions 7.0 and earlier. The Cybersecurity and Infrastructure Security Agency has added it to its list of known exploited vulnerabilities.
Why the bug is alarming
CopyFail is especially dangerous because it can give attackers a high level of access.
TechCrunch reported that the flaw lets attackers take complete control of vulnerable systems, and even a regular user could potentially gain full administrator rights.
The problem happens when the kernel fails to copy certain data, which corrupts sensitive memory and allows attackers to use the kernel’s deep access to the system.
CyberScoop also described it as a local privilege-escalation flaw that could let anyone with local access gain total control of a system.
Major Linux distributions are in scope
The risk is broad because the vulnerability appears to touch mainstream Linux distributions used heavily in business and cloud environments.
Security firm Theori verified the flaw in Red Hat Enterprise Linux 10.1, Ubuntu 24.04 LTS, Amazon Linux 2023, and SUSE 16. The exploit also works on Debian, Fedora, and Kubernetes environments.
The CopyFail website even claims the same short Python script can root every Linux distribution shipped since 2017. The defect could affect “every mainstream Linux distribution built since 2017.”
Active exploitation, but not a one-click internet bug
Despite the urgent warning, reports say CopyFail is not a flaw that attackers can use to target random internet users by itself.
The bug cannot be exploited over the internet on its own, but it could be used with another vulnerability or if someone is tricked into opening a malicious link or file.
Rapid7 security researcher Spencer McIntyre, said an attacker would need to have “already established a foothold” through legitimate access or another exploit, which is a “large limiting factor.”
This makes the attack path narrower, but both reports agree the flaw is still dangerous because once an attacker has access, gaining root control can be very damaging.
Disclosure itself becomes part of the story
The way the vulnerability was announced is also getting attention.
Theori used AI to help find and disclose the bug, but some researchers said the write-up relied too much on AI-generated language and lacked technical detail.
Caitlin Condon, vice president of security research at VulnCheck shared that the exploit is real but said defenders now have to deal with what she called “extreme AI FUD.”
Theori’s Tim Becker said the company used AI to prepare the disclosure materials “to help speed things up,” and that the content was checked internally for accuracy.
What happens next
For defenders, the immediate issue is patching speed.
CISA has ordered civilian federal agencies to fix affected systems by May 15, underscoring how seriously Washington is treating the threat.
For the wider Linux ecosystem, CopyFail is a reminder that even flaws requiring an initial foothold can become severe infrastructure problems when they affect the kernel layer shared across data centers, enterprise servers, and cloud-native systems.
