‘Copy Fail’ puts Linux users on alert as kernel patches race out and distros scramble to push them to the update channel.
If you’re running Linux, you might want to keep an eye on your distro’s update manager because a whopper of a vulnerability called Copy Fail was announced on Wednesday. Not all distros have issued a patch, but they’re all working on it. Because of this, updating your system — or even finding out if a fix is available — might not be as quick and easy as it usually is.
On my Linux Mint installation, for example, the fastest mirrors are showing speeds in 2.x MB/s range, and attempting to refresh the update manager using various mirrors eventually hits a timeout that returns a “failed to download repository information” message. Mint’s issues are possibly being made worse by the DDoS attack that’s been hammering Ubuntu for the last day or so.
The exploit, CVE-2026-31431, is a local privilege escalation that allows unprivileged users to elevate themselves to admin. What’s worse, the released proof of concept takes advantage of the vulnerability using only several hundred bytes. Worse yet, this PoC was released into the wild on Wednesday when the vulnerability was disclosed, which means that by now it’s in the hands of every bad guy on the planet who wants it.
The good news is that Theori, the company that discovered the vulnerability, waited five weeks after privately notifying the Linux kernel security team with the details. This means that patches are already in place for versions 7.0, 6.19.12, 6.18.12, 6.18.22, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254, with more on the way.
Also good news — although this applies more to home Linux users than admins wrangling an army of servers in a data center — there has to be a door open somewhere for a cracker hacker to get inside to run the exploit code. For web-facing servers, there can be all sorts of services open to allow this, but most desktop users would have to do something like click on the wrong email attachment to trigger a malicious exploit.
The bad news is that just because the kernel is patched doesn’t mean the patches have made it to your local distro. That said, I figure that by now, unless you’re using one of the distros with a single maintainer, a patched version is at least on the way.
Here’s what my cursory look at some of the more mainstream distros turned up:
| Distro/family | Copy Fail Patch Status (CVE-2026-31431) |
|---|---|
| Linux mainline kernel | Fixed in 7.0 and later, 6.19.12, 6.18.22, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 |
| Ubuntu | Fix via updated Ubuntu kernel packages |
| Debian | Fix via kernels listed in Debian security tracker |
| RHEL | Fix via Red Hat kernel errata (backported patch) |
| SUSE / openSUSE | Fix via SUSE kernel updates |
| Amazon Linux | Fix via updated Amazon Linux kernels |
| Arch Linux | Fix via rolling kernel including upstream patch |
| Fedora (42+) | Fix via updated Fedora kernels |
| Gentoo | Fix via updated kernel ebuilds |
| CloudLinux | Fix via CloudLinux kernels / KernelCare patches |
| AlmaLinux | Fix via AlmaLinux kernel updates |
| Linux Mint | Expected via Ubuntu kernel once Mint syncs |
That list isn’t complete of course, and it’s only a snapshot of the way things look at press time — important because the information is going to be very fluid at this stage of the game. If you’re a sysadmin managing web-facing servers, you don’t need my advice. If you’re running a Linux desktop or laptop, my advice is for you to be careful what you click until your machine is patched. Also, continue to keep an eye on your distro’s update manager, looking for “Copy Fail” and “CVE-2026-31431”. When those show up, update your system immediately.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment