CVE-2026-31431 / KernelCare?

[Michael L]

Hello NLUG,

Running Ubuntu server for website.  I got the following Action Required email from our webdev consultants who also offer server maintenance; they're recommending KernelCare as a possible service in the event I'm not comfortable doing this myself.

I haven't tried to implement the fix yet, so don't know if I'm capable yet or not; guessing Canonical will soon incorporate patch as part of sudo apt update. ..  Just thought I'd mention this.  Will of course take NLUG input.

Thanks a million for all of NLUG's help in helping me get this far.  Linux has saved us a between $150,000 and $250,000 since Howard White got us started in Aug.2018.

  M

  
> Dear Valued Customer,
>
> We would like to inform you of a recently disclosed high-severity Linux kernel vulnerability, CVE-2026-31431 ("Copy Fail"). This issue affects a wide range of Linux distributions running kernels released since 2017, including CloudLinux, AlmaLinux, Ubuntu, Debian, and others.
>
> We continuously monitor such advisories and proactively assess their impact across managed environments to ensure timely guidance and mitigation.
>
> ---
> Summary
> - Affects multiple Linux distributions and kernel versions
> - Allows privilege escalation to root from a local user account
> - Requires local access (not directly exploitable remotely)
> - Public exploit is available
> - Fixes are being released by vendors and live-patching providers
> ---
>
> Recommended Option 1: KernelCare Live Patching (Fastest & Least Disruptive)
> The quickest way to protect your server is by using KernelCare, which applies a live patch to the running kernel.
>
> - Mitigates the vulnerability without requiring an immediate reboot
> - Provides protection while vendor updates are being rolled out
> - A reboot may still be scheduled later if a full kernel upgrade is applied
>
> You can review and obtain KernelCare here:
> https://tuxcare.com/enterprise-live-patching-services/kernelcare-enterprise/
>
> If you prefer, our team can handle the installation and configuration for you - simply reply to this email.
>
> Note: While we have seen effective results with KernelCare in similar environments, we recommend reviewing its features, pricing, and suitability for your requirements before proceeding.
>
> ---
> Recommended Option 2: Install Official Vendor Kernel Updates
> You may alternatively apply the vendor-provided patched kernel using your package manager.
>
> Steps:
> 1. Update the system:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # For CloudLinux / AlmaLinux / RHEL-based systems
> sudo dnf update kernel -y
> # For Ubuntu / Debian systems
> sudo apt update && sudo apt upgrade -y
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 2. Reboot the server to activate the updated kernel:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> sudo reboot
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Updates are already available or being rolled out across distributions. Availability may vary depending on your OS version and mirror synchronisation.
>
> ---
> Temporary Workaround (If Patch Not Yet Available)
> If a patched kernel is not immediately available, a temporary mitigation can be applied to reduce exposure by disabling the affected interface.
>
> For CloudLinux, AlmaLinux, Rocky, CentOS, and RHEL-based systems:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
> sudo reboot
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> For Ubuntu and Debian systems:
> Edit the GRUB configuration:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> sudo nano /etc/default/grub
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Add the following parameter:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> GRUB_CMDLINE_LINUX="initcall_blacklist=algif_aead_init"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Then apply the changes and reboot:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> sudo update-grub
> sudo reboot
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> This mitigation disables the vulnerable interface and effectively blocks the currently known exploit path.
> It does not impact common services such as SSH, OpenSSL, or IPsec.
>
> ---
> Important Considerations
> A kernel update modifies the core of the operating system. While such updates are routinely handled, there remains a small possibility of issues such as temporary service disruption or, in rare cases, boot failure.
>
> We recommend scheduling this activity during a planned maintenance window to minimise impact.
>
> - Estimated duration: 1-2 hours
> - Downtime is expected during reboot
> - In rare scenarios, console/KVM access from your hosting provider may be required for recovery
>
> Our team routinely performs kernel upgrades across a large number of environments and follows best practices to minimise risk. Should any issues arise, we will assist with investigation and resolution. Please note that extended troubleshooting, if required, may involve additional effort.
>
> ---
> Execution Advisory
> The commands and procedures outlined above should be carried out by individuals with appropriate system administration experience.
>
> Improper execution may lead to service disruption, boot issues, or configuration inconsistencies. Outcomes can vary depending on the server environment, kernel version, and installed software.
>
> If you are not fully confident in performing these actions, we strongly recommend seeking professional assistance. Our team will be happy to handle the implementation safely for you.
>
> ---
> Next Steps
> Please review the options above and let us know how you would like to proceed. We can assist with:
>
> - Installing and configuring KernelCare
> - Performing the vendor kernel update
> - Applying the temporary workaround
>
> Kindly share your preferred option along with a suitable maintenance window, and we will schedule the activity accordingly.
>
> ---
> Thank you for your continued trust in Bobcares.
>
> Best regards,
> Infrastructure Management Services,
> Bobcares

[Kent Perrier]

If you are running a kernel with those functions loaded via a kernel module, you can rmmod the kernel module and black list it so it doesn't get loaded again. RHEL and RHEL-alikes have that function compiled into the kernel so the only mitigation is blocking those kernel calls via the kernel boot options. Red Hat's CVE response page has the kernel boot options to add to block them at that level. Of course, this requires a reboot. 

IMO, if you are not comfortable do this then I wouldn't recommend running the whole OS to support your customer's website. 

Kent

--
--
You received this message because you are subscribed to the Google Groups "NLUG" group.
To post to this group, send email to nlug...@googlegroups.com
To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en

---
You received this message because you are subscribed to the Google Groups "NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXZXKx0UiS5%2BsBM2CQYhEK6WxuGv5OzA8X3ctqE-Lu%3D3sA%40mail.gmail.com.

[JP White]

Copy Fail is patched in Ubuntu updates. Regular sudo apt update/upgrade should do it. Its like falling off a log to do these updates. Of course as the vendor suggested find a maintenance window to do this after you have a good backup in your back pocket.

In terms of long term automated patching. I use Ubuntu Pro for Ubuntu servers. you get 5 free machine instances for individual accounts. For corporations its a paid service.

Ubuntu Pro comes with a variety of services, one of which is LivePatch which will (for high severity CVE's) automatically update the kernel while the server is running 

Read more about Ubuntu Pro at

https://ubuntu.com/pro 

JP

JP White
Hendersonville, TN 37075
mailto:jp_wh...@hotmail.com
callto://jpwhitehome
Web http://jpwhitehome.wordpress.com/

On Mon, May 4, 2026 at 12:53 PM Michael L <helpwit...@gmail.com> wrote:

--

[Kent Perrier]

Red Hat has released their patches for 8, 9 and 10.

On Mon, May 4, 2026 at 12:53 PM Michael L <helpwit...@gmail.com> wrote:

--