Threat Alert – exploiting Copy Fail in Linux systems

Written By Iwan Lehnert

A serious security vulnerability has been publicly disclosed affecting the Linux operating system that powers a significant proportion of the world's servers, cloud infrastructure, and business systems.

Known as "Copy Fail" (aka CVE-2026-31431), the vulnerability has existed undetected in Linux since 2017, and while a working patch has already been released that fixes the issue that we urge everyone to install, the exploit is publicly available to anyone, making prompt action essential. As such, this alert is relevant to any user or organisation that runs Linux or Unix-based systems.

What’s happened?

The vulnerability, discovered by security researchers in the Linux operating system kernel, allows anyone who already has basic, low-level access to a Linux system to instantly elevate themselves to full administrative control, known as root access.

In practical terms, this means that any attacker that gains even a foothold in your Linux environment (via a compromised user account, a vulnerability in a web application, or a misconfigured service) can immediately take complete control of that system. There are no additional steps, and no complex techniques are required.

Why is this a concern?

Vulnerabilities like this normally require an attacker to exploit a race condition (essentially winning a split-second timing game), which makes them unreliable and raises the possibility of detection. Copy Fail is different because it works every single time, with no special timing or skill required.

Adding to the challenge is the fact that any attempt to exploit the vulnerability, successful or otherwise, leaves no trace behind. Traditional security tools that monitor for changes to system files will not raise an alert, because the attack only modifies files in the system's memory, not on the hard drive. Logs and file integrity checks also won’t show anything unusual, making the initial intrusion incredibly difficult to detect.

This vulnerability also crosses container boundaries, meaning that in modern cloud and virtualised environments, an attacker who compromises one container or virtual workload could potentially use this virtual foothold to break out and take control of the underlying host system. That could lead to any number of damaging consequences, including the loss of sensitive data, confidential information being leaked, and losing control of your entire network. Simply put, leaving this vulnerability exposed is a huge risk to any organisation using Linux-based systems.

Who is affected?

Any organisation running Linux servers or Unix-based infrastructure that has not applied recent security patches should consider themselves potentially at risk. This includes:

  • On-premises Linux servers (web servers, file servers, database servers)

  • Cloud-hosted Linux instances (AWS, Azure, Google Cloud)

  • Containerised environments and Kubernetes clusters

  • Any Linux-based appliance or system that receives operating system updates

The vulnerability affects all major Linux distributions including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, and SUSE, across systems deployed since 2017.

What should you do?

1. Update your systems

Thankfully, a fix has already been publicly released. It’s a small script that runs in seconds and has been confirmed to work against all major Linux distributions. The fix has been released by all major Linux vendors, so the most important thing is to ensure any Linux systems are updated to the latest kernel version and rebooted.

If you have a managed service provider or internal IT team responsible for your Linux infrastructure, contact them today and ask them to confirm that CVE-2026-31431 has been patched across your environment.

If you can’t patch immediately, there is a temporary measure that can be applied without rebooting your systems that removes the vulnerable component responsible for this exploit. This is a stop-gap and does not replace patching, but it significantly reduces your immediate risk. Your IT team or managed service provider can implement this quickly, and we would advise contacting them immediately.

2. Review your access controls

While applying the patch is the primary fix, this is also a good moment to review who has access to your Linux systems. As the exploit requires an attacker to already have some level of access, the next steps should be:

  • ensuring that access is limited to those who genuinely need it,

  • confirming user accounts use strong authentication and follow best security practices for passwords,

  • and disabling all unused account.

These steps will all reduce the opportunity for this vulnerability to be exploited.

Summary - a swift response can avoid disaster

While it’s taken nine years to discover this vulnerability, examples like Copy Fail are a reminder that no operating system is impregnable, and that the window between a public disclosure and active exploitation by attackers is shrinking. With a working exploit already publicly available, we expect attempts to use this in the wild imminently.

The good news is that a fix is available, straightforward to apply, and highly effective. The key to managing this threat, as ever, is a speedy response.

PureCyber is here to help

If you have questions about your exposure or would like support assessing and patching your Linux estate, or are an existing PureCyber client, please get in touch with us today or reach out to your account manager.

contact us
Iwan Lehnert
Next

Passkeys and passwords – what you need to know about NCSC’s guidance