Qualys ThreatPROTECT confirmed on May 4 that the Linux kernel privilege escalation vulnerability CVE-2026-31431, dubbed 'Copy Fail', is under active exploitation in the wild. A compact 732-byte Python exploit is in open circulation, and Go and Rust reimplementations have already been detected in public repositories, lowering the barrier for threat actors significantly. CISA formally added the flaw to its Known Exploited Vulnerabilities catalog, and Microsoft Defender telemetry reports preliminary testing activity that is escalating in volume. Patched kernels were released May 1 for Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, and Arch Linux. The transition from patch-available to actively-exploited-in-the-wild compresses the response window dramatically — all Linux administrators must apply the available kernel updates immediately. The CISA KEV listing creates a binding remediation deadline for US federal agencies and represents a strong signal for all operators to treat this as an emergency patch.