With more than 27 million active users and powering 75% of all web-facing servers, it’s surprising that we don’t hear more about Linux security issues. Which isn’t to say they don’t occur, but media headlines tend to focus more on Windows users than on Linux users. However, when a nine-year-old security vulnerability that can grant an attacker root access in just 732 bytes of code is confirmed, impacting “every major Linux distribution,” according to the researchers who uncovered it, you’d better start paying attention. The U.S. Cybersecurity and Infrastructure Agency has very quickly added the vulnerability, known colloquially as Copy Fail, to its known exploited vulnerabilities catalog within just 24 hours of the official disclosure. Here’s what you need to know, and more importantly, what you need to do as a matter of some urgency.
MORE FROM FORBESMeta Discloses 2 WhatsApp Vulnerabilities In New Security AdvisoryBy Davey Winder
Linux Copy Fail Vulnerability—What You Need To Know About CVE-2026-31431
CISA, which refers to itself as being America’s Cyber Defense Agency, didn’t hang around to add the Copy Fail vulnerability to its KEV database of vulnerabilities that are known to have been exploited. Indeed, the bug, more formally having a Common Vulnerabilities and Exposures designation of CVE-2026-31431, was added after just a day. This in itself is unusual, and while CISA has not shared details of the exploitation of the Copy Fail vulnerability, you can take it as read that it would not have been added to the KEV Catalog otherwise. CISA has only stated that the decision was made “based on evidence of active exploitation.” CISA went on to warn that “this type of vulnerability is a frequent attack vector for malicious cyber actors,” and as such strongly urged all users to “reduce their exposure to cyberattacks by prioritizing timely remediation.”
So, what do we know about Copy Fail? Security researchers from Theori, who discovered and responsibly disclosed the vulnerability, described it as being “a logic bug in the Linux kernel’s authencesn cryptographic template” that can enable an unprivileged local user to “trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.” Or, in plain English, a successful hacker can obtain root on most all Linux distributions shipped since 2017.
MORE FROM FORBES2.8 Billion Credentials Stolen As Password Attacks SurgeBy Davey Winder
“While the technical details are still evolving,” David Brumley, the chief AI and science officer at Bugcrowd, said, “the issue underscores a broader and more urgent concern: even routine, low-level system functions can introduce critical security weaknesses when not handled correctly at scale.” Brumley added that this kind of vulnerability “tends to sell on the broker market for the price of a house.” So let’s be grateful to Theori for doing the decent thing here.
Jason Soroko, senior fellow at Sectigo, told me that anyone running Linux kernels older than 2017 remain immune “because they predate the specific memory optimization commit that introduced the flaw.” However, Soroko wanted that the CVE-2026-31431 exploit “is perfectly reliable and remains completely invisible to traditional endpoint detection systems.” While the good news is that threat actors must already have some level of unprivileged code execution on the target machine, this isn’t that difficult, given they could use a separate web application vulnerability or a compromised user account, Soroko said. As such, updating now is the only mitigation option. While all users really should ensure that their Linux distribution has been updated, and check with the vendor as soon as possible for details, Noelle Murata, chief operating officer at Xcape, Inc, said that priority should be given to public-facing Linux servers and developer workstations, “as these are the primary targets for the initial access required to trigger this exploit.”
This article was originally published on Forbes.com
