The US government is warning of a severe CopyFail bug affecting major versions of Linux

A major security vulnerability affecting nearly all versions of the Linux operating system has caught defenders off guard and scrambling to patch after security researchers publicly released exploit code that allows attackers to take complete control of vulnerable systems.

The US government says the bug, called “CopyFail,” is now being used in the wild, meaning it’s being widely used in malicious hacking campaigns.

The bug, officially tracked as CVE-2026-31431 and found in Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel security team in late March, and patched a week later. But the patches have yet to drop completely on most Linux distributions that depend on the vulnerable kernel, leaving any system running an affected version of Linux at risk of compromise.

Linux is widely used in business settings, running computers that run many of the world’s data centers.

The CopyFail website says that a similar short Python script “deletes all Linux distributions shipped since 2017.” According to security firm Theori, which discovered CopyFail, the vulnerability was confirmed in several widely used versions of Linux including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.

DevOps engineer and developer Jorijn Schrijvershof wrote in a blog post that the exploit works on versions of Debian and Fedora, as well as Kubernetes, which rely on the Linux kernel. Schrijvershof described the bug as having an “unusual scope of explosion” as it applies to “almost all modern distributions” of Linux.

The bug is called CopyFail because the affected component in the Linux kernel, the core of the operating system that has full access to the entire device, does not copy certain data when it should. This corrupts sensitive data within the kernel, allowing an attacker to reverse the kernel’s access to the entire system, including its data.

When exploited, the bug is particularly problematic because it allows a normal user, with limited access, to gain full administrator access to an affected Linux system. A successful compromise of a server in a data center can allow an attacker to gain access to the entire application, server, and database of many corporate customers, and be able to gain access to other systems on the same network or data center.

The CopyFail bug cannot be exploited over the Internet by itself, but can be used in conjunction with an exploit that works over the Internet. According to Microsoft, if the CopyFail error is tied together with other vulnerabilities that can be delivered over the Internet, an attacker can use the error to gain root access to the affected server. A user running a Linux computer with a vulnerable kernel can also be tricked into opening a malicious link or attachment that triggers the vulnerability.

The bug can also be injected through a supply chain attack, where malicious actors hack into a developer’s open source account and plant malware in their code to compromise a large number of devices at once.

Given the vulnerability to government business networks, the US cyber security agency CISA ordered all public service organizations to repair any affected systems by May 15.