Dear de.NBI Cloud Tübingen users,
researchers discovered another Local Privilege Escalation vulnerability referred to as _Copy Fail_ (CVE-2026-31431) which affects recent, unpatched Linux kernels.
As far as we know only rolling release Linux distribution have patched kernels yet.
See https://copy.fail/ for more details.
We advise to use
https://github.com/rootsecdev/cve_2026_31431/blob/main/test_cve_2026_31431.py
for testing if you are vulnerable.
This warning is especially relevant if you have less trustworthy local users or code, like in a Slurm cluster or if you are running containers, as the vulnerability also allows to escape containers.
Please do the following on your systems :
- Test if you are vulnerable (probably yes)
- Update to a patched kernel if available (unlikely)
- Mitigate, either (works on Ubuntu)
> echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
> rmmod algif_aead 2>/dev/null || true
or if the above doesnt work (probably necessary on Red Hat based distros)
> grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
> reboot
Afterwards
- check for signs of compromise:
- are there any public keys you dont know about
- do the setuid binaries have the correct checksum
- are the additional setuid binaries on the system
- was the sudoers config altered
- were the group memberships altered
- are there unknown processes or services
- if so notify us
- on multi-users or container systems: rotate/disable all of your potentially compromised private keys and passwords.
If you have questions contact us via denbi@zdv.uni-tuebingen.de.
On behalf of the de.NBI Cloud Tübingen team,
Fabian Paz