A high-severity flaw in the Linux kernel’s cryptographic subsystem has been added to CISA’s Known Exploited Vulnerabilities catalog, with a federal patch deadline of 15 May 2026. Tracked as CVE-2026-31431 and nicknamed Copy Fail, the bug lets any unprivileged local user gain root on essentially every mainstream Linux distribution shipped since 2017 — Ubuntu, RHEL, SUSE, Debian, Amazon Linux and friends. Microsoft’s Security Response Center confirmed active exploitation in cloud environments on 1 May, as reported on the Microsoft Security Blog.

This one matters for Australian businesses because Linux quietly runs the bits of your stack you don’t look at every day — your hosted website, your e-commerce platform, your Microsoft 365 connector boxes, your VPN appliance, and most of your cloud workloads. If anyone can already log into the box (a low-privilege web shell, a compromised app account, a stolen SSH key), Copy Fail is the step that turns a small foothold into game-over. Per Help Net Security, working exploits are already public and weaponised.

What to do this week:

1. Patch every Linux server and container image. Apply your distro’s May kernel update, then reboot. “I’ll do it next maintenance window” is not the right answer here.
2. Ask your hosting provider, MSP and SaaS vendors for written confirmation their kernels are patched — especially anything customer-facing or holding regulated data.
3. Audit your golden images and IaC templates. A patched fleet that bakes new VMs from a stale AMI is back to square one inside a week.

If you’re not sure what’s running Linux in your environment or whether your provider has acted, that’s the conversation to start tomorrow morning. Our cybersecurity team can run a quick exposure check across your servers, cloud workloads and key vendors.