The US government is warning of a serious CopyFail vulnerability affecting major versions of Linux

A major security vulnerability that affects almost every version of the Linux operating system has left defenders scrambling to block it after security researchers publicly released code that allows attackers to take control of vulnerable systems.

The US government has said the error, called “CopyFail,” has now been released being exploitedmeaning it is being used more frequently in malicious campaigns.

bugs, officially tracked as CVE-2026-31431 and found in Linux kernel versions 7.0 and earlier, were disclosed to the Linux kernel security team in late March, and replaced about a week later. But the patches haven’t yet landed on most Linux distributions that rely on the vulnerable kernel, leaving any machine running Linux vulnerable to compromise.

Linux is widely used in businesses, running the computers that operate many of the world’s datacenters.

The CopyFail website says the Python script “starts on every Linux distribution shipped since 2017.” According to security firm Theory, which found CopyFailthe vulnerability was confirmed in several popular Linux versions including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16.

Devops engineer and developer Jorijn Schrijvershof wrote in a blog post that the application works on Debian and Fedora versions, as well as Kubernetes, which relies on the Linux kernel. Schrijvershof described the virus as having an “incredibly explosive environment” as it runs on “almost modern distributions” of Linux.

This problem is called CopyFail because it affects Linux kernelin the middle of the operating system that has access to the entire device, it does not take other data when needed. This destroys the secret information inside the kernel, which allows the attacker to regain kernel access to the entire system, including its data.

When exploited, the flaw is particularly critical as it allows a regular, limited user to gain administrative access to the affected Linux system. Server vulnerabilities in a datacenter can allow an attacker to gain access to the entire network, server, and database of many corporate clients, and gain access to other machines on the same network or datacenter.

CopyFail can’t be used online on its own, but it can be useful when used in conjunction with an online application. At Microsoftif the CopyFail bug is bundled together with another vulnerability that can be delivered to the Internet, an attacker can use the bug to gain root access to the affected server. A user of a Linux computer with a vulnerable kernel can be tricked into opening a malicious link or attachment that causes the vulnerability.

The vulnerability can also be injected with hacking techniques, where attackers log into an open source developer’s account and inject malware into their code to infect multiple devices at once.

Because of the threat to federal businesses, the US cybersecurity agency CISA has he ordered all government agencies to repair any affected equipment by May 15.