U.S. agency warns of active exploitation of CopyFail (CVE-2026-31431) in Linux kernels

CISA says CopyFail (CVE-2026-31431) is being exploited in the wild and threatens servers and data centers running affected Linux kernels.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that CopyFail, tracked as CVE-2026-31431, is being actively exploited in the wild following publication of working exploit code. The flaw was disclosed to the Linux kernel security team in late March and patched upstream roughly a week later, but the agency’s advisory stresses immediate risk to unpatched systems. CopyFail affects Linux kernel version 7.0 and earlier. The vulnerability stems from a kernel component that fails to copy certain data when required, corrupting sensitive kernel memory. That memory corruption can allow a non-privileged local user to escalate to full root privileges.

Security firm Theori, which discovered the defect, verified exploitability on Red Hat Enterprise Linux 10.1, Ubuntu 24.04 LTS, Amazon Linux 2023 and SUSE 16. A short public Python script accompanying the disclosure claims it can “root every Linux distribution shipped since 2017. Researchers and operators report a broad blast radius. DevOps engineer Jorijn Schrijvershof confirmed the exploit works against Debian and Fedora builds and warned Kubernetes nodes are susceptible because container orchestration relies on the underlying Linux kernel, increasing potential impact across cloud and on-premises data centers.

CopyFail cannot be exploited remotely by itself, but Microsoft and other analysts caution it can be weaponized when chained with a separate remote vulnerability that provides initial access. Attack vectors include tricking a user into opening a malicious link or attachment that runs local code, and supply — chain compromises that insert the exploit into widely distributed packages or images.

Although upstream patches were released quickly, not all downstream distributions, vendor images and cloud providers have absorbed the fixes, leaving many systems exposed. CISA ordered U.S. civilian federal agencies to patch affected systems by May 15. For enterprises and cloud operators, the immediate risk is that a rooted server could expose applications, databases and other tenants sharing the same infrastructure or network.

CISA and Theori advise operators to prioritize kernel updates for systems running kernels at or below 7.0 and for the distributions Theori verified, update Kubernetes nodes and container images, and follow vendor advisories as they arrive. Where rapid patching is not immediately possible, recommended mitigations include reducing the local attack surface, tightening network segmentation, disabling unnecessary local privileges and monitoring for indicators of compromise while vendors roll out fixed images and packages.