This vulnerability gives attackers that can run commands locally an immediate path to full system compromise. Please apply the fixes described below it as soon as possible if you haven't done already.

Copy Fail — CVE-2026-31431 is a critical Linux kernel vulnerability that allows any unprivileged local user to escalate privileges to root. The issue originates from a flaw in the algif_aead cryptographic subsystem, which enables a controlled write into the page cache of readable files. This makes it possible to modify in‑memory SUID binaries and gain full system control.

All major Linux distributions released from 2017 are affected unless patched.

Kernel patches are not available yet for the different Operating System flavours supported on the EWC, but there are interim mitigations that must be applied while waiting for the proper fix.

You must apply the same mitigations right after provisioning any new instances until we release a new set of patched images with the fixes in place.

Risk Level: When This Vulnerability Is Dangerous

Copy Fail (CVE‑2026‑31431) can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.

High‑Risk Scenarios (Immediate Action Required)

Your system is at high risk if any of the following are true:

The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
You have local users who are not already trusted with root privileges.

In these cases, an attacker who gains any local foothold can escalate to root instantly.

Low‑Risk Scenarios (Not Urgent, but Still Recommended)

The urgency is lower if:

Your VM is not externally exposed,
All users already have root access

In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.

Interim fix for Rocky 8

The following command will reboot your machine.

grep -q 'initcall_blacklist=algif_aead_init' /etc/default/grub || sudo sed -i -E 's/^(GRUB_CMDLINE_LINUX_DEFAULT=")([^"]*)"/\1\2 initcall_blacklist=algif_aead_init"/' /etc/default/grub; sudo grub2-mkconfig -o /boot/grub2/grub.cfg; sudo reboot

Interim fix for Rocky 9

The following command will reboot your machine.

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"; sudo reboot

Interim fix for Ubuntu 22.04

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead

Interim fix for Ubuntu 24.04

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead

Interim fix for k8s clusters that use EWC images

Setup

Install krew
install kubecl-node-shell
export KUBECONFIG=path/to/file

One-line command to patch all ubuntu nodes

kubectl get nodes -o name|xargs -I "{}"  kubectl node-shell '{}' -n kube-system -- bash -c 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead'

Note: message rmmod: ERROR: Module algif_aead is not currently loaded might pop-up. but the solution worked nevertheless.