Copy Fail Vulnerability - CVE-2026-31431

Incident Report for CloudLinux

Update

We have delivered KernelCare patches for several distributions. The available patches on the main feed at the moment are:
K20260501_02 (oel8-uek6)
K20260501_10 (rocky9)
K20260430_07 (alma9.6 esu)
K20260430_13 (alma9.2 esu)

Additionally, patches for these distributions are released on the test feed:
oel7-uek6
cl7h
cl8
oel8
centos8
rhel8
alma8
alma9
cl9
rhel9
pve-7-5.15
ubuntu-focal-lts-jammy-aws
ubuntu-focal-lts-jammy
ubuntu-focal-lts-jammy-azure
ubuntu-jammy-aws
ubuntu-jammy
ubuntu-jammy-azure

A key detail for the patches still on the test feed, is that you need to enable said feed while running the update command:
kcarectl --update --prefix test

Posted May 01, 2026 - 16:28 UTC

Update

Patched kernel has been released into testing repo:
for CloudLinux 8 - 4.18.0-553.121.1.lve.el8.x86_64
for CloudLinux 7h - 4.18.0-553.121.1.lve.el7h.x86_64

for CloudLinux 8:
yum update kernel --enablerepo=cloudlinux-updates-testing

for CloudLinux 7h:
yum update kernel --enablerepo=cl7h_beta

Posted May 01, 2026 - 09:09 UTC

Update

We are continuing to work on a fix for this issue.

Posted May 01, 2026 - 09:08 UTC

Identified

Patched kernel has been released into testing repo:
for CloudLinux 8 - 4.18.0-553.121.1.lve.el8.x86_64
for CloudLinux 7h - 4.18.0-553.121.1.lve.el7h.x86_64

yum update kernel --enablerepo=cloudlinux-updates-testing

Posted May 01, 2026 - 09:02 UTC

Update

We've published a blog post with a lot of up-to-date information on the issue
CVE-2026-31431 (Copy Fail): Mitigation and Upcoming Patches for CloudLinux

Posted Apr 30, 2026 - 16:54 UTC

Update

A temporary workaround has been found

It prevents the algif_aead_init() initialization function from being called during kernel boot.
Please note that applying this workaround requires a reboot!

What needs to be done:
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot

Posted Apr 30, 2026 - 16:35 UTC

Investigating

Copy Fail (CVE-2026-31431) is a Linux kernel bug in the crypto component authencesn. It allows a normal local user to make a very specific 4-byte change to the cached contents of any readable file on the system. In practice, that means a small Python script could tamper a setuid binary and gain root access on most major Linux distros shipped since 2017.

We're investigating the situation and a patch is on its way for CloudLinux kernels and KernelCare.

Posted Apr 29, 2026 - 21:34 UTC

This incident affects: CloudLinux OS Components (CloudLinux Kernel).