CISA orders agencies to patch CopyFail Linux kernel flaw

US agencies were told to patch Linux systems by May 15 after a kernel flaw dubbed CopyFail began showing up in active attacks, according to TechCrunch. The vulnerability, tracked as CVE-2026-31431, allows a local user to escalate privileges to full root control on affected machines, and exploit code has been published publicly.

CopyFail’s reach is what makes it operationally expensive. TechCrunch reports the bug affects Linux kernel versions 7.0 and earlier, and researchers say it has been verified across mainstream enterprise and cloud distributions, including Red Hat Enterprise Linux, Ubuntu LTS, Amazon Linux and SUSE, with additional reports covering Debian, Fedora and Kubernetes environments. A patch was issued about a week after the kernel security team was notified in late March, but the article notes that fixes have not fully propagated through the distribution supply chain—kernel updates need to be packaged, tested, released, and then actually installed by operators who often delay reboots.

CISA’s order forces one corner of that ecosystem to move on a deadline, but most Linux machines are not federal desktops. They sit in data centres and cloud fleets where uptime targets and change-control procedures decide when a kernel can be swapped out. Theori, the security firm credited with discovering the flaw, is quoted describing an unusually large blast radius; that translates into a familiar scramble where defenders must first inventory which kernels they are running before they can even schedule maintenance.

The bug is not, by itself, a remote break-in. TechCrunch says CopyFail cannot be exploited “over the internet” on its own, but becomes dangerous when chained with another vulnerability that provides initial access—an exposed service, a stolen credential, a poisoned update, or a user tricked into running something. Microsoft is cited warning that such chaining can turn an internet-delivered foothold into full system control. In practice, this is what turns a single compromised account on a shared host into a platform-wide incident: once root is obtained, attackers can pivot to applications, databases and adjacent systems on the same network.

Linux’s dominance in servers means a kernel privilege-escalation bug is rarely confined to one vendor’s customers. Cloud providers, SaaS firms and enterprises often depend on the same upstream code, the same maintainers, and sometimes the same small set of people with commit rights. When exploit code is public and CISA says the vulnerability is already being exploited, the cost of “waiting for the next regular patch window” becomes a business decision, not a technical one.

The patch exists, and the deadline is written down. Whether it reaches every production kernel before attackers do will depend on who is willing to take the downtime.