CISA orders federal agencies to patch CopyFail Linux bug by 15 May
Updated
Updated · TechCrunch · May 4
CISA orders federal agencies to patch CopyFail Linux bug by 15 May
2 articles · Updated · TechCrunch · May 4
Tracked as CVE-2026-31431, the flaw affects Linux kernel 7.0 and earlier, and CISA said it is already being exploited in the wild.
Researchers and developers said exploit code can give attackers root access on major distributions including Red Hat, Ubuntu, Amazon Linux, SUSE, Debian and Fedora, with Kubernetes also affected.
Because Linux underpins many enterprise servers and data centres, a compromise could expose applications, databases and networks, especially if CopyFail is chained with internet-facing bugs or supply-chain attacks.
This bug came from a 2017 optimization. Is our quest for faster performance making critical infrastructure fundamentally less secure?
CopyFail leaves no trace on disk. How can companies detect if they have already been compromised by this invisible threat?
AI found this flaw in one hour. How can security teams defend against AI-driven attacks that move faster than human response?
Emergency Directive on CopyFail: Critical Linux Kernel Exploit Demands Immediate Patching by May 15, 2026
Overview
The CopyFail vulnerability, introduced by a 2017 Linux kernel flaw, allows local attackers to gain root access by overwriting in-memory data of privileged binaries. Discovered in early 2026 using AI tools, it quickly led to patches from major Linux maintainers. However, active exploitation in the wild prompted CISA to add CopyFail to its Known Exploited Vulnerabilities catalog and issue a directive requiring federal agencies to patch by May 15, 2026. This flaw poses serious risks to cloud and container environments, enabling container breakouts and widespread compromise. Patching demands disruptive system reboots, creating operational challenges and driving reliance on interim mitigations while defenders race to secure vulnerable systems.