Gaming on Linux has never been better—but that doesn't mean your distros are free from security threats. Case in point is a severe vulnerability nicknamed 'Copy Fail,' which allows a local user to dig into the guts of the OS and give themselves root privileges merely by writing four bytes of controlled data into the page cache of any readable file.
The security research team at Theori disclosed the vulnerability last Wednesday, though CISA reports that threat actors have since been observed using the exploit in the wild. The security flaw has been given the designation CVE-2026-31431 and marked with a high severity score of 7.8 (via Bleeping Computer).
This is because Copy Fail could potentially leave a large number of Linux users exposed—if you've not updated your kernel in a hot minute, now would be the time. Theori puts it succinctly in its write-up, summarising, "A single 732-byte Python script can [be used to] obtain root on essentially all Linux distributions shipped since 2017."
As such, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog. In accordance with 'Binding Operational Directive (BOD) 22-01', this move in turn requires Federal Civilian Executive Branch agencies based throughout the USA to update their systems by May 15 in order to protect their systems against this active threat.
CISA warns, "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
Cybersecurity firm Theori also offers a more digestible Copy Fail guide. This includes the security research team's original Proof of Concept script so "defenders can verify their own systems and validate vendor patches." It's worth clarifying that this script requires local access to a machine running Linux, and that the security vulnerability is not an example of remote code execution.
The team found the same script works in Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but obviously, plenty of other Linux distros are also affected.
This news follows claims made last week by Canonical—the company that created Ubuntu—that its web infrastructure was under a "sustained, cross-border attack". Though the Copy Fail vulnerability was disclosed by Theori around the same time, the exploit may not be to blame. Canonical has yet to provide an update after its X post on May 1st.
