Cyber-crime Attackers are cashing in on fresh 'CopyFail' Linux flaw Researchers dropped a reliable root exploit and it didn’t sit idle for long Carly Page Tue 5 May 2026 // 15:01 UTC CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit. Tracked as CVE-2026-31431, the bug sits in the Linux kernel and gives low-level users a way to take full control of a system by modifying data they should only be able to read, effectively turning limited access into full root privileges on unpatched machines. The issue was disclosed by cybersecurity consultancy Theori , which said the flaw was discovered by its AI-powered penetration testing platform, Xint, and reported to the Linux kernel security team on March 23. Major Linux distributions pushed out patches ahead of public disclosure, which Theori published alongside a proof-of-concept exploit. The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation. "Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution," Theori says. That level of reliability has not gone unnoticed. The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline. Microsoft backed CISA's findings and said it is already seeing signs of activity following the PoC's release . "Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days," the company warned. Five Eyes spook shops warn rapid rollouts of agentic AI are too risky First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide The mechanics help explain the urgency. The attack is local and requires little access, with no user interaction, so anyone who already has a foothold on a vulnerable box can try their luck. It is the kind of bug that turns a small break-in into full control pretty quickly. As The Register reported last week, the flaw stems from how the kernel handles certain cryptographic operations , opening a path to tamper with cached data in ways that were never meant to be user-controlled. With a reliable exploit now in the wild, that design quirk has effectively turned into a universal privilege-escalation trick. ® Share More about Linux More like these × More about Linux Narrower topics Asahi Linux CentOS Debian Fedora GNOME Linux Foundation One Way Forward Windows Subsystem for Linux Broader topics FOSS Linus Torvalds Operating System More about Share POST A COMMENT More about Linux More like these × More about Linux Narrower topics Asahi Linux CentOS Debian Fedora GNOME Linux Foundation One Way Forward Windows Subsystem for Linux Broader topics FOSS Linus Torvalds Operating System TIP US OFF Send us news