U.S. Orders Rapid Patching After Widespread Linux Kernel Flaw Lets Users Gain Root

Federal agencies have been told to patch machines within days after researchers disclosed a serious Linux kernel vulnerability that attackers are already using to seize full control of affected systems.

Security teams flagged a flaw tracked as CVE-2026-31431 and nicknamed “CopyFail” that allows an ordinary account on a vulnerable machine to elevate its privileges to full administrative rights. The U.S. Cybersecurity and Infrastructure Security Agency directed civilian agencies to install fixes by May 15, saying the bug has moved from proof-of-concept into active exploitation. Officials warn organizations that haven’t updated their kernels are at immediate risk.

Researchers reported the defect to kernel maintainers in late March and a corrective update arrived roughly a week later, but that patch has not reached all distributions. CopyFail affects Linux kernel series 7.0 and earlier; because many commercial and community releases still ship those kernels, they remain exposed. Security firm Theori, which disclosed the issue publicly, confirmed the vulnerability against a number of mainstream releases, and the CopyFail project claims a compact script can gain root on releases distributed since 2017.

The flaw stems from a kernel routine that fails to copy data it should, corrupting privileged memory and opening a path for escalation. That makes the bug particularly dangerous: an attacker with limited access on a server — a container user, a low-privilege process or a misconfigured service account — can potentially break out and control the host. The researchers who analyzed the code found the problem also affects container orchestration platforms that depend on the kernel, increasing the potential reach.

CopyFail cannot, on its own, be triggered remotely across the open internet. But security teams stress that when it is chained to a remotely reachable vulnerability, or delivered through a manipulated package or a malicious email attachment, it becomes a straightforward route to takeover. Experts also point to supply chain attacks as a realistic vector: if an attacker can compromise a build or developer account, they can distribute code that leverages CopyFail to compromise wide swaths of infrastructure.

IT leaders are being urged to prioritize kernel updates, verify that distribution vendors have pushed the fixes, and apply compensating controls where patches can't be installed immediately. One independent security engineer said organizations should assume at least some hosts are vulnerable until proven otherwise and recommended isolating critical services, rotating credentials, and monitoring for signs of privilege escalation. For many administrators, the immediate task is simple but urgent: confirm kernel versions and deploy vendor-supplied updates without delay.