Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Copy Fail (CVE-2026-31431)

            Modified on Sat, 2 May at 10:29 AM

            Last updated: 2026-05-02
            Status: mitigation in progress — patched kernels are being rolled out as vendors release them to stable channels.

            Disclaimer: This page is provided for informational purposes only. We make no guarantees as to the accuracy, completeness, or applicability of the information to your specific environment, and the situation described here can change at any moment. Always verify with the official channels of your distribution before applying any changes to production systems. You apply any commands or instructions on this page at your own risk; Yourwebhoster.eu accepts no liability for damage, downtime, or data loss resulting from following them, in particular on systems we do not manage.


            To avoid unrecoverable situations, always make a back-up and/or snapshot of your system so you can easily roll back if any issues occur.


            Page changelog

            2026-05-02 — KernelCare patches now available in the main feed for most major distributions: CloudLinux 8, RHEL 8, AlmaLinux 9, Rocky Linux 9, Ubuntu 20.04, Ubuntu 22.04 (incl. arm64), CentOS 8, and Oracle Linux 8 UEK6. AlmaLinux 9 ESU and 9.6 FIPS are also covered via dedicated patchsets. See the KernelCare patch tracker for the live, complete list.

            2026-05-01 — Page published. Initial publication with overview of affected systems, available updates, and mitigation instructions.

            What is Copy Fail?
            Copy Fail is a critical local privilege escalation in the Linux kernel (the algif_aead module, AF_ALG interface). Any unprivileged local user can gain root via a 732-byte Python exploit. All Linux kernels from 2017 onwards are vulnerable — the only exception is CentOS / CloudLinux 7 (kernel 3.10), which never received the vulnerable code path.

            For shared hosting environments with multiple tenants this is a serious risk: any user with shell access can become root on the host node without any further exploit. For KVM virtual machines, this is not a VM escape — but every guest is independently vulnerable inside its own kernel.

            Status of our infrastructure
            We've been working on securing our infrastructure since the disclosure. A portion of our servers has already been mitigated; the rest will follow as quickly as we responsibly can. Once vendors publish the fully patched kernels in their stable channels, we will run a second maintenance round to install the definitive fix.

            Patch availability per distribution

            The situation differs per distribution. Always verify the current status with the official channels — the table below is a snapshot from 2026-05-01.

            DistributionVulnerablePatched kernelWhere to get itSource
            CentOS 6, CentOS 7, CloudLinux 7NoNo action neededNVD
            CloudLinux 7h, CloudLinux 8YesAvailable (beta)Beta channel cloudlinux-updates-testing — target kernel-4.18.0-553.121.1.lve.el8 or newerCloudLinux Blog
            CloudLinux 9YesAvailable (testing)AlmaLinux testing repo — target kernel-5.14.0-611.49.2.el9_7 or newerCloudLinux Blog
            CloudLinux 10YesAvailable (testing)AlmaLinux testing repo — target kernel-6.12.0-124.52.2.el10_1 or newerCloudLinux Blog
            AlmaLinux 8 / 9 / 10YesAvailable (testing)AlmaLinux testing repo — production repo expected shortlyAlmaLinux announcement
            Rocky Linux 8 / 9 / 10YesCheck vendorRocky errata channelsRocky Errata
            RHEL 8 / 9 / 10YesCheck vendorRed Hat errata channelsRed Hat Security
            Debian 13 (Trixie)YesPatched (stable)DSA-6238-1, kernel 6.12.85-1 in main — run apt update && apt upgradeDebian Tracker
            Debian 12 (Bookworm)YesPendingApply temporary mitigationDebian Tracker
            Ubuntu 22.04 / 24.04YesCheck USNApply temporary mitigation if no USN released yetUbuntu Security

            Mitigation if the patched kernel is not yet available

            There are two types of mitigation. Which one applies to you depends on your distribution, because algif_aead is a loadable module on some systems but built into the kernel on others.


            AspectRHEL-family (CloudLinux, AlmaLinux, Rocky, RHEL 8/9/10)Debian / Ubuntu
            algif_aead stateBuilt into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y)Loadable module
            modprobe blacklist + rmmodDoes not work — silently failsWorks — module can be blocked and unloaded
            Recommended mitigationBoot parameter initcall_blacklist=algif_aead_initmodprobe blacklist (preferred); boot parameter as fallback
            Reboot requiredYesNo, if modprobe approach succeeds; yes if falling back to boot parameter
            Tool usedgrubby (or direct edit of BLS entries)/etc/modprobe.d/ + rmmod, or GRUB cmdline edit


            RHEL-family — boot parameter (reboot required)

            The modprobe workaround circulating on oss-security does not work on RHEL-based systems — the commands run without errors but change nothing. Use the boot parameter approach:

            sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
            sudo reboot

            Verify after reboot:

            cat /proc/cmdline | grep initcall_blacklist

            Revert once the patched kernel is installed:

            sudo grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
            sudo reboot


            On CloudLinux 9 / 10 without grubby: manually edit /boot/loader/entries/*.conf and append initcall_blacklist=algif_aead_init to the options line of each entry, then reboot.


            Debian / Ubuntu — modprobe (no reboot if successful)

            On these systems algif_aead is typically a loadable kernel module. Try the modprobe approach first, then verify:

            echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/cve-2026-31431.conf
            sudo rmmod algif_aead 2>/dev/null || true
            lsmod | grep algif_aead


            If the last line returns nothing, the module is gone and the system is no longer exploitable through this vector. If this does not work (module remains loaded, or modinfo algif_aead | grep filename returns (builtin)), fall back to the boot parameter approach with a reboot:

            sudo sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"|GRUB_CMDLINE_LINUX_DEFAULT="\1 initcall_blacklist=algif_aead_init"|' /etc/default/grub
            sudo update-grub
            sudo reboot


            Important pre-flight check: always verify that your current kernel cmdline preserves all existing parameters (such as network interface naming, crashkernel, root device hints) — an incomplete GRUB regeneration can result in a server that fails to boot or comes up without networking.


            Compatibility: dm-crypt / LUKS, kTLS, IPsec, SSH and default OpenSSL / GnuTLS builds do not depend on AF_ALG and continue to work after applying the mitigation.

            Recommendations

            1. Update the kernel where possible. For CloudLinux 7h/8 (beta), CloudLinux 9/10 + AlmaLinux (testing repo) and Debian Trixie a patched kernel is directly available. Schedule a reboot and install the update.

            2. If updating right now is not possible, apply the temporary mitigation. Choose the right method for your distribution (see above). The boot parameter approach works on every Linux system; modprobe only works on systems where algif_aead is a loadable module.

            3. Consider KernelCare for future kernel CVEs. KernelCare applies kernel patches without rebooting. As of 2026-05-01, KernelCare patches for this CVE are live in the main feed for most major distributions — including CloudLinux 8, RHEL 8, AlmaLinux 9, Rocky Linux 9, Ubuntu 20.04 and 22.04, CentOS 8, and Oracle Linux 8 UEK6. For this CVE we are offering one month of KernelCare free of charge for all servers you have with us — shared hosting, VPS, dedicated, managed or unmanaged, any product type. Send an email to support@yourwebhoster.eu mentioning the server(s) you'd like to activate it for. To confirm coverage for your specific kernel, see the KernelCare patch tracker for CVE-2026-31431.

            4. Always check the official status page of your distribution for the latest updates, since the situation can change hour by hour.

            External status pages

            CloudLinux Status Page — incident 642sgcmntkkk
            status.cloudlinux.com
            KernelCare patch tracker — CVE-2026-31431
            AlmaLinux — CVE-2026-31431 announcement
            Debian Security Tracker — CVE-2026-31431
            Ubuntu Security — CVE-2026-31431
            Red Hat Security — CVE-2026-31431

            Sources & further reading

            copy.fail — original disclosure
            CloudLinux Blog — Kernel Update on CloudLinux
            NVD — CVE-2026-31431
            Xint — write-up
            oss-security — original disclosure mailing list post
            CloudLinux KB — Impact on CloudLinux Systems & KernelCare patching
            Upstream kernel fix (commit a664bf3d603d)

            Questions? Send an email to support@yourwebhoster.eu or open a ticket. This page will be updated as new information or progress becomes available.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0