The US Cybersecurity and Infrastructure Security Agency (CISA) is warning all federal civilian agencies to patch their systems by no later than May 15. The reason - a serious vulnerability in the Linux kernel called CopyFail, already being actively used in malicious attacks.

The flaw, technically known as CVE-2026-31431, was found in versions of the Linux kernel 7.0 and older. The security firm Theori, which discovered it, confirmed it has been verified on Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023 and SUSE 16. The number of potentially affected systems is literally enormous - the same script „roots every Linux distribution released since 2017," according to the CopyFail web page.

How does it work? The kernel - the heart of the operating system, with access to almost everything on the device - fails to copy certain data when it should. This corrupts sensitive information and gives the attacker access to everything else. The concrete result - an ordinary user with limited access gains full administrator privileges. In a data centre, that means access to the servers, databases and potentially every other system on the same network.

The flaw on its own can't be exploited over the internet, but it's a „multiplier" for other attacks. Microsoft warns that CopyFail combined with an internet-facing vulnerability would let an attacker get root access to a server. Users can also be tricked through a malicious link. The most frightening scenario - a supply chain attack, where hackers compromise the open-source code of a popular developer and infect everyone who uses it.

Patches have been released in the kernel, but haven't reached all distributions yet. Debian, Fedora, Kubernetes - all are vulnerable. DevOps engineer Jorrijn Schrijvershof described the flaw as having „an unusually large blast radius." The fact that Linux is the standard in data centres means that the web services we all use - from banking apps to public administration - may be vulnerable until someone patches them.

Balkan institutions and companies running Linux should treat this as a top priority. The Scandinavians have already tightened the screws. In the Balkans, the situation is different - many public institutions are still running old distributions, without regular updates, and without dedicated security staff. The question isn't whether someone will be attacked - it's how many.