CopyFail Bug Exposes Major Linux Versions: US Government Warns of Active Exploitation

A critical security flaw in the Linux kernel, known as the CopyFail bug, has triggered urgent warnings from the U.S. government. Security researchers have released exploit code that allows attackers to gain complete control over vulnerable systems. The Cybersecurity and Infrastructure Security Agency (CISA) has now confirmed that this Linux vulnerability is being actively exploited in the wild.

What Is the CopyFail Bug (CVE-2026-31431)?

Officially tracked as CVE-2026-31431, the CopyFail bug affects Linux kernel versions 7.0 and earlier. The flaw was disclosed to the Linux kernel security team in late March and patched within a week. However, the patches have not yet reached all Linux distributions, leaving many systems exposed.

The bug gets its name from a failure in the kernel’s memory management: it does not copy certain data when it should. This corrupts sensitive kernel data, allowing an attacker to escalate privileges. Specifically, a regular user with limited access can gain full root privileges on the system. As security firm Theori, which discovered the flaw, explains, a short Python script can “root every Linux distribution shipped since 2017.”

Which Linux Versions Are Affected by the CopyFail Bug?

The CopyFail bug impacts a wide range of popular Linux distributions. Theori verified the vulnerability in several major versions, including Red Hat Enterprise Linux 10.1, Ubuntu 24.04 (LTS), Amazon Linux 2023, and SUSE 16. DevOps engineer Jorijn Schrijvershof also confirmed that the exploit works on Debian and Fedora, as well as on Kubernetes, which relies on the Linux kernel. Schrijvershof described the flaw as having an “unusually big blast radius,” affecting “nearly every modern distribution” of Linux.

Enterprise and Cloud Environments at Risk

Linux powers the vast majority of data centers and cloud infrastructure. A successful exploitation of this root access exploit in a data center server could allow an attacker to compromise every application, database, and server hosted there. This could also lead to lateral movement within the network, affecting other systems.

How Does the CopyFail Bug Work and What Are the Risks?

The CopyFail bug cannot be exploited over the internet on its own. However, it can be weaponized when combined with another vulnerability that allows remote code execution. Microsoft has warned that chaining the CopyFail bug with an internet-accessible flaw could enable an attacker to gain root access to a server remotely. Additionally, a user on a vulnerable Linux machine could be tricked into clicking a malicious link or opening an infected attachment, triggering the exploit.

Supply chain attacks are another vector. Malicious actors could compromise an open-source developer’s account and inject the exploit into legitimate code, affecting thousands of devices in a single campaign. This makes the kernel security flaw especially dangerous for organizations with complex software supply chains.

What Should You Do? CISA’s Patch Deadline

Given the severity, CISA has ordered all U.S. civilian federal agencies to patch affected systems by May 15. For private organizations, the recommendation is equally urgent. System administrators should immediately apply the latest kernel updates from their Linux distribution vendor. For more on securing your systems, read our guide on Linux security best practices. You can also check our vulnerability scanning tools to identify affected systems.

In addition, organizations should monitor for unusual privilege escalation attempts and restrict user permissions where possible. The CopyFail bug underscores the importance of rapid patch deployment in enterprise environments.

As the U.S. government warns, this Linux vulnerability is not just theoretical—it is being actively exploited. Delaying patches could lead to a full system compromise. Act now to secure your infrastructure.

How Hackers Turn DVR Command Injection Flaw into a Botnet Weapon

A new wave of cyberattacks is exploiting a DVR command injection flaw to build a powerful botnet. Security researchers at Fortinet‘s FortiGuard Labs have uncovered a campaign targeting TBK digital video recorders (DVRs). The goal? To install a Mirai-based malware strain called Nexcorium. This malware turns infected devices into soldiers for distributed denial-of-service (DDoS) attacks.

Understanding the DVR Command Injection Flaw (CVE-2024-3721)

The vulnerability at the heart of this campaign is CVE-2024-3721. It affects TBK DVR systems, which are widely used in surveillance setups. Attackers send specially crafted requests to the device, abusing a vulnerable parameter. This allows them to execute arbitrary commands on the system. In short, the DVR command injection flaw gives hackers a direct path into the device.

Once inside, the attackers deploy a downloader script. This script fetches malware binaries tailored for different Linux architectures, including ARM, MIPS, and x86-64. The malware then runs with elevated permissions, taking full control of the DVR.

Inside the Nexcorium Botnet: Multi-Stage Infection and Persistence

Nexcorium is a sophisticated variant of the infamous Mirai botnet. After the initial breach, the malware hides its configuration using XOR encoding. This configuration includes command-and-control (C2) server details, attack instructions, and even a built-in credential list for brute-force attacks.

The botnet spreads through multiple methods. It exploits the DVR command injection flaw for initial access. Then, it uses default credentials to move laterally across networks. It also targets additional vulnerabilities, such as CVE-2017-17215, which affects Huawei routers. This multi-pronged approach helps the botnet grow quickly.

Persistence is a key feature of Nexcorium. The malware modifies system initialization files, creates startup scripts, and registers system services. It also schedules recurring tasks via cron jobs. This ensures the malware survives reboots and maintains long-term access.

DDoS Capabilities of the Botnet

Once established, Nexcorium connects to a remote C2 server. The server issues commands for various DDoS attack methods. These include UDP floods, TCP SYN floods, and application-layer attacks like SMTP flooding. The botnet can also terminate attacks or self-destruct on command, showing centralized control.

As Trey Ford, chief strategy and trust officer at Bugcrowd, noted: “The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap. Machine speed analysis tells you a vulnerability exists, but human researcher depth tells you how an adversary will chain it, weaponize it and sustain access long after the initial alert fires.”

How to Protect IoT Devices from Botnet Threats

IoT devices, especially DVRs, are prime targets for botnets like Nexcorium. John Gallagher, vice president of Viakoo Labs, explained: “Enterprises have had their fleets of IoT and OT devices used by Mirai and its variants for some time, particularly for DDoS attacks. Until more action is taken by enterprises to maintain cyber hygiene on IoT devices, this will continue because of the ease of infection and ability to move laterally.”

Security teams should focus on foundational controls. Traditional agent-based tools often fail because IoT devices cannot host agents. Instead, use agentless discovery and remediation solutions. Automated password and certificate management are also critical. Additionally, keep firmware updated to patch known vulnerabilities like CVE-2024-3721.

For more on IoT security, read our guide on IoT security best practices. You can also check our analysis of Mirai botnet evolution.

In conclusion, the exploitation of the DVR command injection flaw highlights a growing trend: attackers targeting overlooked IoT devices. By understanding the attack chain and implementing strong cyber hygiene, organizations can reduce their risk of becoming part of the next botnet.

TechCrunch Disrupt 2026: Get 50% Off a Second Pass and Close More Deals Faster

Time is running out for founders, investors, and operators who want to supercharge their deal-making. For the next four days, you can buy one pass to TechCrunch Disrupt 2026 and get 50% off a second pass of the same ticket type. This offer expires on May 8 at 11:59 p.m. PT. After that, prices rise, and bringing a partner or colleague will cost you significantly more. Register here to secure your plus-one at half price.

In the fast-paced world of startups, access is everything. Many believe that a polished pitch is the key to success, but the reality is that proximity to capital and decision-makers often determines who scales and who stalls. TechCrunch Disrupt 2026 is designed to eliminate the barriers of cold outreach and missed introductions, giving you direct access to the people who can write checks and open doors.

Why Deal Flow Matters More Than Ever

Fundraising is a long game of chasing proximity. Cold emails, ignored LinkedIn messages, and weeks of waiting for replies can drain your momentum. Without access, you watch deals happen without you. That’s where TechCrunch Disrupt 2026 deals come into play. This event compresses the fundraising timeline by putting you in the same room as top-tier investors, all in one place.

Building on this, the event offers several dedicated spaces for meaningful interactions:

• Startup Battlefield 200: Pitch in front of leading VCs and compete for a $100,000 equity-free prize.
• Deal Flow Café: A designated area for real, unfiltered conversations between founders and investors.
• Curated matchmaking: Targeted 1:1 and small-group meetings with investors who align with your sector.
• Expo Hall proximity: Turn cold outreach into live demos and authentic discussions.

As a result, you shift from chasing attention to securing influence. Your ticket grants you access to candid insights from active founders, top-tier investors, and operators scaling real companies. Speakers include Nina Achadjian of Index Ventures, Josh Reeves of Gusto, and Arsalan Tavakoli-Shiraji of Databricks, among many others.

How Disrupt 2026 Accelerates Fundraising

When TechCrunch Disrupt 2026 takes over Moscone West in San Francisco from October 13–15, more than 10,000 founders, investors, and operators will gather with a single goal: to advance deals. This changes the pace of business immediately. Instead of months of back-and-forth, conversations start and move faster across industry stages, keynotes, roundtables, and investor receptions.

Furthermore, you are not burning resources trying to get into a meeting—you are already in one. Disrupt is a premier global startup event where the ecosystem converges to move ideas, deals, and companies forward. With over 20,000 curated meetings and dedicated environments like investor-founder networking sessions, the event is built for deal flow, not just discussion.

The Power of Proximity

At Disrupt, you are face-to-face with investors who can ask questions on the spot, evaluate your vision directly, and read signals immediately. This feedback loop compresses timelines. What normally takes weeks can take shape in a single day—especially as you move between sessions and conversations across the venue. Check the agenda to plan your time effectively.

In addition, you will find 80+ Side Events across the Bay Area for networking, workshops, and social connections, extending the value of your Disrupt ticket. Bringing a second person with your 50% discount multiplies those moments, allowing you to cover more ground and convert more conversations into real opportunities.

Don’t Miss Your 50% Discount

Buy one pass, get 50% off the second (of the same ticket type). Bring someone who helps you move faster—and put yourself in the room where deals actually start. Register now to secure your two passes before May 8 at 11:59 p.m. PT. After that, the price goes up, and the opportunity to bring a colleague takes a bigger chunk of your budget.

Therefore, if fundraising is already on your roadmap, waiting doesn’t make it easier. It just delays access. Secure your passes today for TechCrunch Disrupt 2026 and close more deals faster.