Articles in this section

Vulnerability CVE-2026-31431: Copy Fail

Anton Maslov
Updated

Situation

Vulnerability CVE-2026-31431 (Copy Fail) affecting Linux Kernel has been discovered. Linux kernels since approximately 2017 (starting around version 4.14) are affected, depending on whether the vulnerable code is present.

Impact

Local privilege escalation (LPE) is possible by exploiting a flaw in the Linux kernel’s cryptographic subsystem.

Operating systems potentially affected (depending on kernel version):

  • Debian 10, 11, 12
  • Ubuntu 18.04, 20.04, 22.04, 24.04
  • AlmaLinux 8, 9, 10
  • CloudLinux 7h (Hybrid), 8, 9
  • Red Hat Enterprise Linux 8.x, 9.x

Call to action

For servers with KernelCare

If KernelCare is installed, the running kernel can be patched without a reboot:

# kcarectl --update

Then verify that CVE-2026-31431 is covered by the applied patch:

# kcarectl --patch-info | grep CVE-2026-31431

If patching is not available, either of the following indicates that KernelCare does not currently cover CVE-2026-31431 for the running kernel:

  • kcarectl --update returns: There are no updates for this kernel yet
  • kcarectl --patch-info | grep CVE-2026-31431 produces no output

In this case, proceed to the OS-specific instructions below.

For servers without KernelCare

Kernel fixes are distributed by OS vendors, and systems must be updated with the patched kernel as soon as it becomes available.

For CloudLinux

CloudLinux released a patch for:

  • CL7h: kernel-4.18.0-553.121.1.lve.el7h.x86_64 and above
  • CL8: kernel-4.18.0-553.121.1.lve.el8.x86_64 and above

Refer to:
https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update
For temporary mitigation, update instructions, and the status of upcoming patches.

Warning: While the patched kernel is only in the beta channel, you may prefer not to install it on production right away. In that case, apply the temporary mitigation. It does not require a new kernel and can be reverted in seconds once the kernel reaches the stable channel.

CloudLinux 7h:

# yum --enablerepo=cl7h_beta update 'kernel*'

# reboot

# uname -r

CloudLinux 8:

# yum --enablerepo=cloudlinux-updates-testing update 'kernel*'

# reboot

# uname -r

Once the patched kernel reaches the stable channel, use a regular kernel update without enabling a testing repository:

# yum update 'kernel*'

# reboot

# uname -r

CloudLinux 9:

# dnf clean metadata

# dnf update 'kernel*'

# reboot

# uname -r

For Almalinux

AlmaLinux released a patch for:

  • AlmaLinux 8: kernel-4.18.0-553.121.1.el8_10 and above
  • AlmaLinux 9: kernel-5.14.0-611.49.2.el9_7 and above
  • AlmaLinux 10: kernel-6.12.0-124.52.2.el10_1 and above
  • AlmaLinux Kitten 10 is patched in kernel-6.12.0-225.el10 and above

Refer to:
https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

To apply updates:

# dnf clean metadata

# dnf update 'kernel*'

# reboot

# uname -r

For RedHat

Check the Red Hat advisory for the current patch status and mitigation steps.

Affected versions are:

  • RedHat/RockyLinux 8: kernel-4.18.X and above
  • RedHat 9: kernel-5.14.X and above

Refer to:
https://access.redhat.com/security/cve/cve-2026-31431

To apply updates:

# dnf update 'kernel*'

# reboot

# uname -r

Note: To block affected functions use the command:
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
and reboot the server afterward.

For Ubuntu

Ubuntu provides fixes for this vulnerability through updated Linux kernel packages for affected releases, including:

  • Ubuntu 18.04 (Bionic)
  • Ubuntu 20.04 (Focal)
  • Ubuntu 22.04 (Jammy)
  • Ubuntu 24.04 (Noble)

Systems remain vulnerable until the patched kernel is installed. It is recommended to apply all available security updates and reboot the system to load the updated kernel.

To apply updates:

# apt update

# apt upgrade

# reboot

# uname -r

If installing all available updates is not possible, install the kmod mitigation package and reboot the server:

# apt update

# apt install --only-upgrade kmod

# reboot

Refer to:
https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
for details on affected releases, patch availability, and mitigation steps.

For Debian

Debian addresses this vulnerability by releasing updated Linux kernel packages that include the upstream fix.

Patched kernel versions have been released for newer branches, including:

  • sid (unstable): 6.19.13-1 and above
  • trixie (testing): 6.12.73-1 and above

Stable releases such as Debian 11 (Bullseye) and Debian 12 (Bookworm) receive fixes via security updates to their respective kernel branches.

Systems remain vulnerable until the updated kernel is installed and the system is rebooted.

To apply updates:

# apt update

# apt upgrade

# reboot

Refer to:
https://security-tracker.debian.org/tracker/CVE-2026-31431
for detailed information on affected and fixed package versions.

Was this article helpful?

Comments

0 comments

Article is closed for comments.