A serious security flaw in the Linux kernel — one that had been hiding undetected for nine years — is now being actively exploited by attackers. The vulnerability, CVE-2026-31431 (nicknamed “Copy Fail”), allows any user already logged into a Linux system to quietly escalate their access to full root (administrator) level using a small script. CISA added it to its Known Exploited Vulnerabilities catalog, requiring US federal agencies to patch by May 15, 2026.
The flaw is particularly dangerous in containerized environments. Systems running Docker, Kubernetes, or LXC containers grant processes the access needed to trigger this bug by default — meaning an attacker who breaks into one container can potentially take over the entire host server. The vulnerability affects nearly every Linux distribution released since 2017 and is fixed in kernel versions 6.18.22, 6.19.12, and 7.0 and newer.
How to check if you’re affected
Any Linux system running kernel versions older than 6.18.22 or 6.19.12 is potentially vulnerable to CVE-2026-31431:
- Check your kernel version: Run
uname -rin a terminal. If the version number is lower than 6.18.22 or 6.19.12, update immediately. - Update your Linux system: On Debian/Ubuntu, run
sudo apt update && sudo apt upgrade; on RHEL/CentOS/Fedora, runsudo dnf update kernel. Reboot after updating. - Prioritize container hosts: If you run Docker, Kubernetes (K8s), or LXC on these older kernel versions, treat this as your highest-priority patch — the risk is elevated by default container settings.
- Limit logins until patched: Restrict the number of user accounts that can log in to affected systems to reduce exposure.