They suspect that hackers have been using this exploit for years.

Why was it undiscovered for so long?

"Copy-Fail" was created by the intersection of three independent, seemingly benign changes to the Linux kernel made between 2011 and 2017. The dangerous combination arose because the 2017 change allowed pages from the system's page cache (which are normally read-only) to be placed into a writable buffer for a crypto operation. When the authencesn module performed its normal 4-byte scratch write, it was now writing directly into the page cache of a file, corrupting it . Because each of these changes was harmless on its own, their combined effect went unnoticed for nearly a decade.

The vulnerability wasn't found by a human manually auditing code - that's why it was undiscovered for so long. It was discovered by a cybersecurity researcher named Taeyang Lee using an AI-powered code auditing tool called Xint Code

"Copy Fail" is a severe and reliable flaw born from the complex interaction of features, highlighting new challenges in code security. This is less about negligence and more about the limitations of traditional auditing to spot such "polyglot" bugs, which are now being exposed by advanced AI tooling.

As of today (May 1, 2026), no active exploitation has been confirmed in production environments. This is consistently reported across multiple authoritative sources:

CERT-EU (the official Computer Emergency Response Team for EU institutions) published an advisory on April 29 confirming public PoC release but did not report active exploitation .

奇安信 (Qi'anxin Threat Intelligence), a major Chinese cybersecurity firm, explicitly states: "在野利用状态 — 未发现" ("In-the-wild exploitation status — not discovered" ) .

Flashbots, a real-world production environment that uses Linux systems, investigated their exposure and confirmed: "No exploitation observed" on their deployed images.

However, as of April 30, major distributors still hadn't shipped final patches . This window is when in-the-wild exploitation is most likely to emerge.

This is a very serious flaw, but its impact is concentrated on shared hosting and cloud environments. Home users are lower priority for attackers, and a standard system update will fully protect you.

Edited to add that: Security teams are treating this as a race to patch before attackers begin using it.

I'm running Linux Mint - I imagine it will be patched in the next kernel update.

I'm not sure why you're expressing so much anger about this, but I encourage anyone who's interested to follow your text links and then do a search for further info if they want.

Thanks for posting this information - sorry you're having a bad day.

Just curious ... did you read my posts, or is this just a knee-jerk reaction? Honestly, I'm puzzled.

Copy-Fail (CVE-2026-31431) is a local exploit. Specifically, it is a Local Privilege Escalation (LPE) vulnerability, meaning an attacker must already have a, typically unprivileged, foothold on the Linux system—such as a user account, a container, or a shell—to exploit it.

For most Linux users this is a non starter. If no one uses your personal system but you or if you don't routinely allow skilled hacker level people access to your personal computer than you have nothing to worry about. Some Internet facing systems are likely to have multiuser accounts on one system and yes the sys-admins who take care of those systems should be keeping a wary eye on users as well as watching for updates that address this issue.

The guy that started this thread has a habit of trying to denigrate Linux. He has numerous posts trying to do that.

There will be a fix for this out soon if not already. Just do your updates and you'll be fine