Security

CVE-2026-31431 (Copy Fail): The 9-Year-Old Linux Kernel Flaw Affecting CloudLinux, Ubuntu, RHEL and Beyond

May 01, 2026

Back to Blog
Security May 01, 2026

On April 29, 2026, the security firm Theori disclosed a 9-year-old design flaw at the heart of the Linux kernel: CVE-2026-31431, codenamed Copy Fail. Any user with a shell on the system can run a 732-byte Python script and obtain root. No race condition required — this is more reliable than Dirty Pipe or Dirty Cow.

7.8
CVSS Score
High Severity
732
Bytes to Root
Tiny Python script
9
Years in the Wild
Undetected since 2017
2017
Introduced
algif_aead optimization
In This Article
  1. Affected Systems
  2. How the Exploit Works
  3. Is CloudLinux Specifically Affected?
  4. How Panelica Differs from CloudLinux Stacks
  5. Defense-in-Depth
  6. What You Must Do Now
  7. Quick Diagnostic Commands
  8. Closing Thoughts

Affected Systems

Virtually every major Linux distribution shipped since 2017 is vulnerable:

Distribution Status Notes
Ubuntu 22.04 LTS / 24.04 LTS Affected kernel 6.17.0 and earlier; patch via apt upgrade
Debian (all current branches) Affected Bookworm, Trixie; patch in security channel
Amazon Linux 2023 Affected kernel 6.18.8 and earlier
RHEL 10.1 / Rocky Linux 9.7 Affected kernel 6.12.0; patch via dnf update kernel
AlmaLinux 9.x Affected Patch available in test repository
SUSE 16 Affected SUSE advisory issued
CloudLinux CL7h, CL8, CL9, CL10 Affected KernelCare live patch available; CL9/CL10 via AlmaLinux test repo
CloudLinux CL7 (legacy) Not Affected Legacy kernel branch predates the vulnerable in-place optimization
Warning: If you operate a server and have not applied a kernel update in the last 48 hours, you are almost certainly affected.

How the Exploit Works

The flaw lives in the Linux kernel's algif_aead module — the AEAD socket interface of the kernel's userspace crypto API (AF_ALG). Three separate changes, each reasonable in isolation, interact catastrophically:

  1. 2011 — The authencesn algorithm was added; it uses the destination buffer as scratch space when rearranging IPsec Extended Sequence Number bytes.
  2. 2015 — AEAD support was added to AF_ALG sockets, exposing the crypto subsystem to unprivileged userspace.
  3. 2017 — An in-place optimization in algif_aead.c allowed source and destination scatterlists to share page cache pages.

An attacker chains an AF_ALG socket with splice() to map any readable file's page cache into a writable scatterlist. The authencesn scratch write then places 4 controlled bytes into the page cache — typically targeting /usr/bin/su or another setuid binary. Seconds later: root shell.

Critical: The page cache is shared system-wide. This means Linux container and namespace boundaries are crossed — Docker, LXC, or Linux namespace isolation alone does not stop this attack.

The mainline patch (a664bf3d603d) was committed on April 1, 2026. Distributions are rolling out fixes now.

Is CloudLinux Specifically Affected?

CloudLinux Status Summary

Yes. CloudLinux maintains its own kernel for CL7h and CL8, and uses the AlmaLinux kernel for CL9 and CL10. All four are vulnerable. Only CL7 (the legacy branch) is unaffected.

CloudLinux's response has been fast:

  • KernelCare customers receive the patch as a live patch — no reboot needed.
  • CL9/CL10: patched kernel available in the AlmaLinux test repository.
  • CL7h/CL8: patched kernel is being prepared in the beta channel.
  • Official mitigation advisory published on the CloudLinux blog.
Note: CageFS and LVE are not affected directly — but the kernel underneath them is. CageFS filesystem isolation does not stop a kernel-level page cache attack. If your hosting stack runs on CloudLinux, confirm with your provider that the patch has been applied.

How Panelica Differs from CloudLinux Stacks

CloudLinux ships a custom kernel and stacks proprietary tooling (CageFS, LVE, KernelCare) on top of it. Panelica does not. Panelica is a userspace control panel that runs on the native Linux operating system of your distribution — Ubuntu or Debian.

Concrete differences:

  • No custom kernel. Panelica uses your distribution's stock kernel. Patching CVE-2026-31431 means running apt upgrade linux-image-generic (or dnf update kernel) and rebooting — no extra Panelica kernel to update.
  • No CageFS. Customer filesystem isolation is achieved through native Linux primitives: PID and mount namespaces, SSH chroot jails (sshjailed for SFTP-only, sshfull for limited bash), and Unix UID/GID permissions enforced by UserContextService.WriteFileAsUserSudo().
  • No LVE. Resource limits use cgroups v2 directlycpu.max, memory.max, io.max, pids.max — managed under panelica.slice/panelica-user.slice/panelica-user-{username}.slice/.
  • No KernelCare bundled — but kernel updates are first-class. Panelica Enterprise ships with a built-in package manager. Kernel updates can be installed directly from the panel UI — no SSH session required, no command-line work for the operator. Live (rebootless) patching is not bundled with Panelica. For most operators, a panel-driven kernel update followed by a scheduled reboot is enough. If you specifically need live patching, KernelCare can be installed independently and works on Ubuntu and Debian.
Why This Matters for Copy Fail

Because Panelica relies entirely on the native kernel, the fix is the same fix everyone else applies — a stock distribution kernel update. There is no proprietary middleware between you and the upstream patch. CloudLinux operators must wait for the CL7h/CL8 beta channel or the CL9/CL10 AlmaLinux test repo. Panelica operators on Ubuntu can install the patched kernel the moment Canonical ships it.

The trade-off is honest: CloudLinux operators with KernelCare get rebootless patching out of the box; Panelica operators schedule a maintenance window and reboot. Both reach the same end state — a patched kernel and a Copy Fail mitigated server.

Defense-in-Depth — What Actually Helps

Userspace isolation tools provide partial protection but are not a substitute for the kernel patch. Here is an honest evaluation:

Defense Layer Effective Against Copy Fail?
Cgroups v2 (resource limits) No — the flaw is at the syscall layer
PID + Mount Namespaces No — page cache is shared system-wide
SSH chroot / SFTP-only accounts High — no shell, no script execution
PHP-FPM disable_functions + open_basedir High — exec/system/shell_exec blocked, web shell exploitation is hard
Unix UID/GID permissions No — the attack already runs as an unprivileged user
Docker / LXC containers No — host kernel is shared; exploit reaches root on host
SELinux / AppArmor (default profiles) Limited — default profiles do not block AF_ALG socket creation
Kernel patch (the only real fix) Yes — complete mitigation

The structural advantage of well-designed shared hosting environments:

  • SFTP-only customer accounts cannot launch a Python script directly. The 732-byte exploit needs a shell or scripting runtime.
  • Hardened PHP-FPM pools with exec, system, passthru, shell_exec, popen disabled prevent web-shell-based exploitation.
  • Full SSH access (bash-capable accounts) should be opt-in, granted only to administrators or trusted developers.
Warning: Isolation layers reduce the attack surface but are not a complete fix. Any administrator account with full SSH access can run the exploit. Web shell hardening is never 100% — misconfigured pools or insecure plugins exist. Customer Docker workloads share the host kernel, making a container escape via Copy Fail feasible. The only durable answer is to patch the kernel.

What You Must Do Now

1. Update the Kernel (Permanent Fix)

Ubuntu / Debian:

apt update && apt upgrade -y linux-image-generic
reboot

RHEL / Rocky / AlmaLinux / CloudLinux (without KernelCare):

dnf update -y kernel
reboot

CloudLinux with KernelCare: The patch is delivered as a live patch — no reboot required. Verify with:

kcarectl --info
kcarectl --update

2. Cannot Reboot? Use Temporary Mitigation

For modular kernels (Ubuntu, Debian — CONFIG_CRYPTO_USER_API_AEAD=m):

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rmmod algif_aead 2>/dev/null || true

For built-in kernels (RHEL, CloudLinux, AlmaLinux — CONFIG_CRYPTO_USER_API_AEAD=y):

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
sudo reboot

Verify the module is no longer loadable:

lsmod | grep algif_aead     # expect empty output

3. What Does the Mitigation Break?

For most servers, nothing. The following common services do not depend on AF_ALG:

  • dm-crypt / LUKS disk encryption
  • kTLS, IPsec, SSH
  • OpenSSL and GnuTLS default builds

AF_ALG is used only by a handful of specialised applications (rare in web hosting stacks). Still, test critical services after applying the mitigation.

4. Tighten SSH Access

  • Minimise the number of accounts with full shell access.
  • Provide SFTP-only access for developers and support contractors who do not need a shell.
  • Restrict SSH to known IP ranges where possible.
  • Audit existing accounts: who has shell access, and is it still required?

Quick Diagnostic Commands

Run these on your server to assess exposure:

# Running kernel
uname -r

# All installed kernel images (look for newer ones not yet booted)
apt list --installed 2>/dev/null | grep linux-image | tail -3
# RHEL family:
rpm -qa | grep kernel | tail -3

# Is algif_aead modular or built-in?
grep CRYPTO_USER_API_AEAD /boot/config-$(uname -r)

# Currently loaded?
lsmod | grep algif_aead

# Already blacklisted?
ls /etc/modprobe.d/ | grep -i algif
Note: If uname -r shows a kernel older than the latest available, you must reboot. If algif_aead shows up in lsmod and nothing is in /etc/modprobe.d/, you are exposed.

Closing Thoughts

Copy Fail is a direct hit against the foundational trust boundary of shared servers and multi-tenant environments. The good news: the patch landed quickly, and the temporary mitigation is straightforward. The bad news: the bug was present, exploitable, and unnoticed for nine years.

Action checklist for hosting operators:

  1. Update kernels on all production servers
  2. Reboot, or use KernelCare for live patching
  3. If reboot is not feasible, blacklist algif_aead
  4. Audit which accounts have full SSH shell access
  5. Verify PHP-FPM disable_functions lists across all customer pools
  6. Notify customers running Docker workloads that host kernel patching is required

For CloudLinux operators specifically: confirm with your provider that the CL7h/CL8 beta-channel patch or the CL9/CL10 AlmaLinux test-repo patch has been applied. KernelCare subscribers should verify the live patch is active with kcarectl --info.

Share:

More from the Blog

Security

cPanel Auth Bypass Crisis (CVE-2026-41940): Why Panelica Customers Are Not Affected

A CVSS 9.8 authentication bypass in cPanel (CVE-2026-41940) exposed the entire hosting industry. Here is a technical breakdown of the exploit and why Panelica\u2019s architecture makes this class of attack structurally impossible.

Apr 30, 2026
Read more
Announcement

Panelica Now Officially Supports Ubuntu 26.04 LTS — Resolute Raccoon Ready

Ubuntu 26.04 LTS "Resolute Raccoon" is out. Panelica is officially compatible from day one — fully tested across all 20 services, 5-layer isolation, and 246 API endpoints on Kernel 7.0.

Apr 25, 2026
Read more
Security

The MySQL 9.7 cPanel Meltdown: Why Upstream Trust Without Guardrails Breaks Production

On April 21, 2026, a MySQL repository metadata bug caused thousands of cPanel servers to silently upgrade to MySQL 9.7 overnight. Here is what happened, why cPanel servers had no structural defense, and how Panelica's build pipeline prevents this class of failure.

Apr 23, 2026
Read more
Announcement

Hosting Panel Benchmark 2026: Installation, Memory, Security Compared

Independent benchmark of Panelica, cPanel, Plesk, HestiaCP, CloudPanel, and CyberPanel on identical hardware. Real numbers on install time, RAM usage, disk footprint, and default security.

Apr 13, 2026
Read more
Tutorial

How Agencies Are Replacing cPanel: Docker, Git Deploy, and Modern Workflows

Why web agencies and development teams are moving away from cPanel. Covers the shift to Git-based deployment, Docker containers, and panels built for developer workflows.

Apr 30, 2026
Read more
See the Demo