Issue
Copy Fail (CVE-2026-31431) is a Linux kernel bug in the crypto component authencesn. It allows a normal local user to make a very specific 4-byte change to the cached contents of any readable file on the system.
In practice, that means a small Python script could tamper a setuid binary and gain root access on most major Linux distros shipped since 2017.
Environment
- CloudLinux
- Kernel
- KernelCare
Solution
CloudLinux 7h:
Update the kernel to version: 4.18.0-553.121.1.lve.el7h from beta repo
yum update 'kernel*' --enablerepo=cl7h_beta
CloudLinux 8:
Update the kernel to version: 4.18.0-553.121.1.lve.el8 from beta repo
yum update 'kernel*' --enablerepo=cloudlinux-updates-testing
CloudLinux 9 and 10:
Patched beta kernels available for CloudLiniux 9 and 10. For additional information please refer to the blog post https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update
If updating the kernel isn't an option, as a workaround to mitigate the issue, run the following:
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
rebootThis action would disable the module during server boot, and it will get blacklisted in the end.
KernelCare:
KernelCare live patches for CVE-2026-31431 ("CopyFail") are released to the main feed. For more information, please check our blog post: https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update
Useful links
- Subscribe to updates on CloudLinux Status Page for this case:
https://cloudlinux.statuspage.io/incidents/642sgcmntkkk - Check out the blog post for more details:
https://blog.cloudlinux.com/cve-2026-31431-copy-fail-mitigation-and-patches
Comments
0 comments
Please sign in to leave a comment.