U.S. government warns of severe CopyFail bug affecting major versions of Linux

The first StrictlyVC of 2026 hits SF on April 30. Tickets are going fast. Register now. Buy one Disrupt pass, and get the second at 50% off. Ends May 8. Register now. TechCrunch Desktop Logo TechCrunch Mobile Logo LatestStartupsVentureAppleSecurityAIApps EventsPodcastsNewsletters SearchSubmit Site Search Toggle Mega Menu Toggle Topics Latest U.S. government warns of severe CopyFail bug affecting major versions of Linux Zack Whittaker 3:21 PM PDT · May 4, 2026 A severe security vulnerability affecting almost every version of the Linux operating system has caught defenders off-guard and scrambling to patch after security researchers publicly released exploit code that allows attackers to take complete control of vulnerable systems. The U.S. government says the bug, dubbed “CopyFail,” is now being exploited in the wild, meaning it’s being actively used in malicious hacking campaigns. The bug, officially tracked as CVE-2026-31431 and discovered in Linux kernel versions 7.0 and earlier, was disclosed to the Linux kernel security team in late March, and patched after about a week. But the patches have yet to fully trickle down to the many Linux distributions that rely on the vulnerable kernel, leaving any system running an affected Linux version at risk of compromise. Linux is widely used in enterprise settings, running the computers that operate much of the world’s datacenters.  The CopyFail website says that the same short Python script “roots every Linux distribution shipped since 2017.”  According to security firm Theori, which discovered CopyFail, the vulnerability was verified in several widely used versions of Linux including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, as well as SUSE 16.  Devops engineer and developer Jorijn Schrijvershof wrote in a blog post that the exploit works on Debian and Fedora versions, as well as Kubernetes, which relies on the Linux kernel. Schrijvershof described the bug as having an “unusually big blast radius” as it works on “nearly every modern distribution” of Linux. The bug is called CopyFail because the affected component in the Linux kernel, the core of the operating system that has virtually complete access to the entire device, does not copy certain data when it should. This corrupts sensitive data within the kernel, allowing the attacker to piggyback the kernel’s access to the rest of the system, including its data. If exploited, the bug is particularly problematic because it allows a regular, limited-access user to gain full-administrator access on an affected Linux system. A successful compromise of a server in a datacenter could allow an attacker to gain access to every application, server, and database of numerous corporate customers, and potentially gain access to other systems on the same network or datacenter. The CopyFail bug cannot be exploited over the internet on its own, but can be weaponized if used in conjunction with an exploit that works over the internet. Per Microsoft, if the CopyFail bug is chained together with another vulnerability that can be delivered over the internet, an attacker could use the flaw to gain root access to an affected server. A user operating a Linux computer with a vulnerable kernel could also be tricked into opening a malicious link or attachment that triggers the vulnerability. The bug could also be injected by way of supply chain attacks, in which malicious actors hack into an open source developer’s account and plant the malware in their code in order to compromise a large number of devices in one go. Given the risk to the federal enterprise network, U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15. When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence. Zack Whittaker Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security. He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com. May 27 Athens, Greece StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone. Most Popular This tiny, magnetic e-reader could stop you from doomscrolling Amanda Silberling Uber wants to turn its millions of drivers into a sensor grid for self-driving companies Connie Loizos Y Combinator alum Skio sells for $105M cash, only raised $8M, founder says Julie Bort Hackers are actively exploiting a bug in cPanel, used by millions of websites Zack Whittaker Elon Musk testifies that xAI trained Grok on OpenAI models Tim Fernholz Amazon, Meta join fight to end Google Pay, PhonePe dominance in India Jagmeet Singh On the stand, Elon Musk can’t escape his own tweets Tim Fernholz X LinkedIn Facebook Instagram youTube Mastodon Threads Bluesky TechCrunchStaffContact UsAdvertiseCrunchboard JobsSite Map Terms of ServicePrivacy PolicyRSS Terms of UseCode of Conduct AnthropicElon MuskMeta EarningsSatya NadellaMythosTech LayoffsChatGPT © 2026 TechCrunch Media LLC.