A nine-year-old flaw in the Linux kernel, tracked as CVE-2026-31431 and nicknamed Copy Fail, has been added to CISA’s Known Exploited Vulnerabilities catalogue. As reported by The Hacker News, the bug lets a low-privileged local user gain root with a 732-byte exploit, and Microsoft’s Defender team is already seeing exploit-prep activity in the wild. US federal agencies have until 15 May to patch.

This isn’t a problem that lives only on a sysadmin’s screen. Almost every Australian SMB runs Linux somewhere — under a website, behind a SaaS app, inside an AWS, Azure or Google Cloud workload, or as the host OS for a container platform. Copy Fail is especially nasty in containerised environments: Docker, LXC and Kubernetes give container processes access to the kernel feature being abused by default, so a contained foothold can become a full host compromise. For anyone with Privacy Act notification obligations, that’s a serious incident waiting to happen.

What to do this week: ask your IT provider or hosting partner to confirm every Linux instance you rely on has been patched to a fixed kernel (6.18.22, 6.19.12 or 7.0 and later). Most major distributions — Ubuntu, RHEL, AlmaLinux, Amazon Linux 2023, SUSE — have already shipped updates. If you can’t patch a system immediately, isolate it on the network and tighten who can log in locally. Check that any container hosts you operate are on the patched kernels too, not just the workloads inside them.

If you’re not sure where your Linux estate sits or who’s responsible for patching it, that’s the bigger conversation to have. Our cybersecurity team can help you map the exposure and close it out without panic.