Security firm Theori released exploit code Wednesday for a Linux kernel flaw that grants root on every distribution. The bug, tracked as CVE-2026-31431 and dubbed CopyFail, is a local privilege escalation the kernel team patched only in the newest 7.0, 6.x and 5.x releases. Theori disclosed the flaw five weeks after privately notifying the kernel security team, prompting a hurried rush to apply backported patches now.

Researcher Jorijn Schrijvershof explained that a single Python script works reliably on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6 and Debian 12, elevating an unprivileged user to root. With that capability attackers can breach cloud VMs, escape Kubernetes containers and inject malicious pull requests into CI/CD pipelines, turning ordinary access into full system control in modern environments today.

Enterprises scrambling to patch vulnerable hosts face a narrow window before attackers weaponize the script at scale. Linux admins are urged to update to patched kernels immediately and audit untrusted code paths. Until distributions ship updates, the exposed flaw remains the most severe Linux threat seen in years. Customers on older kernels should apply temporary mitigations such as restricting untrusted user execution.