Nearly every Linux system built since 2017 vulnerable to ‘Copy Fail’ flaw

Security researchers and European cybersecurity officials are urging administrators to address the risk posed by a newly discovered security flaw that has been hiding in the Linux operating system for nearly a decade.

The bug allows anyone with a basic account on an affected computer to seize full administrative control. It also works as an escape route from cloud containers, meaning a compromised application running inside a supposedly isolated environment can break out and take control of the entire host server — a major risk given the cloud industry’s dependence on Linux distributions.

Patches and mitigations began reaching users Thursday, though some systems remain unprotected. An interim workaround circulating online does not function correctly on all distributions.

The flaw, dubbed “Copy Fail,” was publicly disclosed this week by researchers at cybersecurity firm Theori, which said it found the bug using an AI-powered scanning tool called Xint Code.

The vulnerability is being tracked as CVE-2026-31431 and has been assigned a CVSS base score of 7.8. It affects every major Linux distribution released since 2017, including Ubuntu, Red Hat Enterprise Linux, Amazon Linux and SUSE, the systems running the majority of the world's servers and cloud infrastructure.

The EU's cybersecurity body, CERT-EU, issued a formal advisory on Thursday warning about the risk posed by the bug and urged administrators to apply the kernel update as soon as patches are available.

Theori said the flaw resulted from three separate, individually unremarkable changes to the Linux kernel made in 2011, 2015 and 2017. No one recognized the danger created by their combination for nearly a decade.

The attack works by quietly tampering with the temporary copy of a file the system holds in memory while it is in use, without ever touching the original file on disk. As standard security tools check files on disk rather than in memory, they see nothing wrong. An attacker can exploit that gap to rewrite the rules of a trusted system program and take over the machine.

CERT-EU noted that while a fix had been committed to the underlying Linux codebase on April 1 — after Theori reported the issue on March 23 — no major distribution had yet delivered it to end users as of its advisory.

The U.S. Cybersecurity and Infrastructure Security Agency has not yet added the flaw to its known exploited vulnerabilities catalog, indicating it has not been observed in active attacks.