Why was it undiscovered for so long?
"Copy-Fail" was created by the intersection of three independent, seemingly benign changes to the Linux kernel made between 2011 and 2017. The dangerous combination arose because the 2017 change allowed pages from the system's page cache (which are normally read-only) to be placed into a writable buffer for a crypto operation. When the authencesn module performed its normal 4-byte scratch write, it was now writing directly into the page cache of a file, corrupting it . Because each of these changes was harmless on its own, their combined effect went unnoticed for nearly a decade.
The vulnerability wasn't found by a human manually auditing code - that's why it was undiscovered for so long. It was discovered by a cybersecurity researcher named Taeyang Lee using an AI-powered code auditing tool called Xint Code
"Copy Fail" is a severe and reliable flaw born from the complex interaction of features, highlighting new challenges in code security. This is less about negligence and more about the limitations of traditional auditing to spot such "polyglot" bugs, which are now being exposed by advanced AI tooling.
As of today (May 1, 2026), no active exploitation has been confirmed in production environments. This is consistently reported across multiple authoritative sources:
CERT-EU (the official Computer Emergency Response Team for EU institutions) published an advisory on April 29 confirming public PoC release but did not report active exploitation .
奇安信 (Qi'anxin Threat Intelligence), a major Chinese cybersecurity firm, explicitly states: "在野利用状态 — 未发现" ("In-the-wild exploitation status — not discovered" ) .
Flashbots, a real-world production environment that uses Linux systems, investigated their exposure and confirmed: "No exploitation observed" on their deployed images.
However, as of April 30, major distributors still hadn't shipped final patches . This window is when in-the-wild exploitation is most likely to emerge.
This is a very serious flaw, but its impact is concentrated on shared hosting and cloud environments. Home users are lower priority for attackers, and a standard system update will fully protect you.
Edited to add that: Security teams are treating this as a race to patch before attackers begin using it.
I'm running Linux Mint - I imagine it will be patched in the next kernel update.
= new reply since forum marked as read