The most severe Linux threat to surface in years catches the world flat-footed

Publicly launched exploit code for an successfully unpatched vulnerability that offers root entry to nearly all releases of Linux is setting off alarm bells as defenders scramble to keep off severe compromises inside information facilities and on private units.

The vulnerability and exploit code that exploits it have been released Wednesday evening by researchers from safety agency Theori, 5 weeks after privately disclosing it to the Linux kernel safety workforce. The workforce patched the vulnerability in variations 7.0, 6.19.12, 6.18.126.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) however few of the Linux distributions had integrated these fixes at the time the exploit was launched.

A single script hacks all distros

The essential flaw, tracked as CVE-2026-31431 and the identify CopyFail, is a neighborhood privilege escalation, a vulnerability class that enables unprivileged customers to elevate themselves to directors. CopyFail is especially severe as a result of it may be exploited with a single piece of exploit code—launched on Wednesday’s disclosure—that works throughout all susceptible distributions with no modification. With that, an attacker can, amongst different issues, hack multi-tenant methods, get away of containers primarily based on Kubernetes or different frameworks, and create malicious pull requests that pipe the exploit code via CI/CD work flows.

“’Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”

Schrijvershof added that the similar Python script Theori launched works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued: