Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from Ars Technica, The Register, Tom’s Hardware, TechCrunch, Bugcrowd, and Help Net Security, supplemented by direct HTTP checks against Canonical’s infrastructure on May 2, 2026.
If you run Linux at home, on a cloud server, in a CI pipeline, on a Raspberry Pi, on Windows-via-WSL2, or just on the laptop in your bag โ three things have happened to your software in the past nine days, and you should know about all of them before you next type apt update.
On April 23, Canonical released Ubuntu 26.04 LTS, codenamed Resolute Raccoon. Six days later, on April 29, security firm Theori published exploit code for a previously-undisclosed Linux kernel vulnerability that hands root to any unprivileged local user. The next morning, April 30, Canonical’s web infrastructure went dark under a sustained DDoS attack from a pro-Iran hacktivist group. As of midday Saturday, most of it has come back, but new components keep getting knocked over.
The three events are not linked by anyone’s grand plan. They just collided.
CopyFail: a root in 732 bytes of Python
The vulnerability is CVE-2026-31431, nicknamed CopyFail. It’s a logic flaw in the Linux kernel’s cryptographic API, in a code path that handles the IPsec extended sequence numbers feature. Theori’s researchers, using their AI-assisted scanning tool Xint Code, found that the path fails to copy data correctly โ it scribbles four bytes past where it’s allowed to write โ and that an attacker can use the misbehavior to overwrite a setuid binary in memory and run it as root.
The exploit Theori published is a single 732-byte Python script. It works on virtually every Linux distribution shipped since 2017, with no race condition, no kernel-version-specific offsets, and no need to retry. Researcher Jorijn Schrijvershof summarized the reach: “It means an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”
CopyFail’s resemblance to Dirty Pipe (2022) and Dirty Cow (2016) is being noted across the security community, but with one twist: the disclosure was widely criticized. Theori told the Linux kernel security team five weeks before publication. The kernel team patched it. But Theori released exploit code before the major distributions had finished backporting the fix to their stable lines. Will Dormann, a senior vulnerability analyst at Tharros Labs, called the coordination “absolutely terrible” โ Theori’s writeup told readers to apply vendor patches without first checking that any vendors actually had patches available.
That five-week gap is why this is being called a “zero-day patch gap” rather than a true zero-day.
The DDoS, and the shakedown
Within hours of the exploit’s release, Canonical’s infrastructure went down. The 313 Team, also known as the Islamic Cyber Resistance in Iraq, claimed credit on Telegram. The group is widely assessed to have ties to Iran’s Ministry of Intelligence and Security, and has been hitting Western targets since the U.S.-Israel strike on Iran on February 28; in recent days they have also taken credit for a separate DDoS on eBay.
This time they tried to monetize it. The 313 Team sent Canonical a follow-up message that included a Session contact ID: “There is a simple way out… If you fail to reach out, we will continue our assault. You are in an awful position, don’t be foolish.” A Canonical spokesperson confirmed the carrier-grade attack and, as of writing, has refused to engage with the demand.
The DDoS is a moving target rather than a fixed wall. As of midday Saturday, I tested every domain Ars Technica reported as down, and the picture is now mixed:
| URL | Status | Response time |
|---|---|---|
| ubuntu.com | 200 OK | 1.0s |
| ubuntu.com/download | 200 OK | 0.5s |
| archive.ubuntu.com | 200 OK | 0.2s |
| security.ubuntu.com | 200 OK | 6.6s |
| ubuntu.com/security/CVE-2026-31431 | 200 OK | 1.0s |
| snapcraft.io | 200 OK | 0.6s |
| cloud-images.ubuntu.com | 200 OK | 0.2s |
| canonical.com | 200 OK | 10.0s |
| blog.ubuntu.com | 200 OK | 10.4s |
| maas.io | 200 OK | 10.4s |
| jaas.ai | 200 OK | 10.4s |
| releases.ubuntu.com | 200 OK | 9.0s |
| ppa.launchpad.net | Connection refused | โ |
The status page shows ppa.launchpad.net in Major Outage, with a fresh incident opened at 06:27 AM EDT today. Most other components are flagged Operational, but the ten-second response times on canonical.com, blog.ubuntu.com, and the marketing sites suggest those are still soaking up attack pressure. The fast ones โ the apt archive, the cloud images, the download page โ are unaffected.
What it means for you, depending on what you do
If you just want to install or try Ubuntu 26.04: ubuntu.com/download is responsive right now. The official ISO ships with Linux kernel 7.0, which is already patched against CopyFail, so a fresh 26.04 install is one of the cleanest places to land this week.
If you’re running 24.04 LTS, 22.04 LTS, or anything older, your kernel is the long-tail problem. Your distribution is rolling out patched kernels through apt upgrade, which has continued to work because the global archive mirror network was never targeted in earnest. If your /etc/apt/sources.list points at a regional mirror, you’ve barely noticed the outage. If it points at archive.ubuntu.com directly, you may have hit transient 503s on Thursday and Friday and should retry now.
If you depend on PPAs โ many developers, NVIDIA driver users, and people running newer software on older Ubuntu releases โ you are stuck for the duration of the current ppa.launchpad.net outage. There is no good workaround; PPAs aren’t mirrored the way the main archive is. Wait it out.
If you operate Kubernetes clusters or any multi-tenant Linux, CopyFail is the version of this story that should keep you up. A single hostile container, or a single malicious pull request that runs in CI, can promote itself to root on the host kernel and from there reach every other tenant on the box. Container isolation does not save you. Patch the host kernel; do not assume namespace boundaries are doing the work.
If you run WSL2 on a Windows laptop, you are running a Linux kernel โ Microsoft’s build, but a Linux kernel โ and your subsystem is in scope. Microsoft has historically tracked these patches quickly; check for a WSL kernel update this week.
If you administer a university lab, a shared web host, or any environment where untrusted users can run code, this is the worst kind of vulnerability for you. Every account with shell access is now a potential root account until you have patched and rebooted. Patch first, ask questions later.
If you are a casual desktop user with no shared accounts on your machine, CopyFail still applies, but the practical risk is smaller because the attacker first needs a way to run code as you. The standard advice โ install the next kernel update, don’t run untrusted scripts โ covers it.
Bottom line
Three things converged on Ubuntu in nine days, and the convergence matters more than any of them alone. The week showed that the open-source supply chain has soft spots that geopolitics can reach: a hacktivist group on one continent can choke a security-advisory page on another at the precise moment the advisory is most needed. It also showed that AI-assisted vulnerability research, used impatiently, finds bugs faster than the patch pipeline can absorb them. And it showed that the LTS release calendar, no matter how carefully scheduled, can land in a bad week.
For most users, the practical takeaway is small: keep your system updated through the channels that work, prefer regional mirrors over the main archive when you have a choice, and if you are on anything older than 26.04, treat patch latency seriously this month. For Canonical, the work is bigger. There is a reason most major sites sit behind commercial DDoS mitigation, and the question of why the world’s most popular Linux distribution apparently does not has now become a public one.
Sources
- Ars Technica โ Ubuntu infrastructure has been down for more than a day
- Ars Technica โ The most severe Linux threat to surface in years
- The Register โ Pro-Iran group turns Ubuntu DDoS into shakedown
- Tom’s Hardware โ Canonical under sustained DDoS as Ubuntu 26 releases โ 313 Team claims responsibility
- TechCrunch โ Ubuntu services hit by outages after DDoS attack
- Bugcrowd โ What we know about Copy Fail (CVE-2026-31431)
- Help Net Security โ Nine-year-old Linux kernel flaw enables reliable LPE
- Canonical Status