US government warns of active exploitation involving major Linux security flaw

A severe security vulnerability, dubbed "CopyFail," has left global defenders scrambling after researchers released exploit code allowing attackers to take total control of affected systems.

Tracked officially as CVE-2026-31431, the bug impacts Linux kernel versions 7.0 and earlier. The U.S. government has confirmed the flaw is "now being exploited in the wild," signalling its active use in malicious hacking campaigns.

The vulnerability was discovered by security firm Theori, which noted the exploit "roots every Linux distribution shipped since 2017." Verified versions include Red Hat Enterprise Linux 10.1, Ubuntu 24.04, and Amazon Linux 2023.

DevOps engineer Jorijn Schrijvershof warned that the bug has an "unusually big blast radius" as it affects almost every modern distribution and Kubernetes environments.

The name "CopyFail" stems from a kernel component failing to copy specific data, allowing attackers to "piggyback the kernel’s access" to reach sensitive databases and applications.

While the bug cannot be exploited over the internet in isolation, Microsoft warns it can be weaponised if "chained together with another vulnerability."

This poses a massive risk to data centres where a single compromise could expose numerous corporate customers. Consequently, CISA has ordered all civilian federal agencies to patch affected systems by May 15.

This crisis highlights the ongoing challenges of securing open-source infrastructure; despite a kernel patch being released in late March, many distributions have yet to fully implement the fix. Theori continues to monitor supply chain risks associated with the flaw.