Sobre la vulnerabilidad del Kernel (CVE-2026-31431) conocida con el nombre #CopyFail (más información: https://copy.fail)

Comentaros que ya existen parches disponibles para la mayoría de distribuciones más conocidas:

Anuncio de Ubuntu: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

Security Tracker de Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431

Anuncio de AlmaLinux: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

Anuncio de Rocky Linux: https://kb.ciq.com/article/rocky-linux/rl-cve-2026-31431-mitigation

Security Tracker de Arch Linux: https://security.archlinux.org/CVE-2026-31431

Heise berichtet: Die Linux-Lücke „Copy Fail“ (CVE-2026-31431) wird bereits aktiv ausgenutzt — lokaler Root-Zugriff. Admins sollten sofort verfügbare Kernel-Updates/Packages einspielen. Details & PoC: https://www.heise.de/news/Linux-Luecke-Copy-Fail-wird-bereits-angegriffen-11279850.html 🔥🛡️🐧 #Linux #Security #CVE202631431

Edit/Korrektur: Laut @giggls
ist ein Container-Escape nicht möglich.

AlmaLinux released critical kernel patches to fix Copy Fail (CVE-2026-31431), a high-severity vulnerability. Update your AlmaLinux systems today.

Full details here: https://ostechnix.com/almalinux-copy-fail-cve-2026-31431-fix/

#Copyfail #CVE202631431 #Almalinux #Linuxkernel #Patch #Linuxsecurity

Security teams: "Copy Fail" (CVE-2026-31431) is now being exploited — a local→root Linux kernel LPE affecting many distros since 2017. Patches are available; update immediately. Details: https://www.heise.de/en/news/Linux-vulnerability-Copy-Fail-is-already-being-attacked-11279917.html 🚨🛡️ #Linux #infosec #CVE202631431

⚠️ A new #Linux flaw is now under active exploitation.

CISA added CVE-2026-31431 to its KEV list. The bug lets low-privilege users gain full root access. Patches released.

Fix deadline: May 15, 2026.

Read: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

Copy.fail: a small Linux kernel bug with an unusually big blast radius https://jorijn.com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bug-explained/

@zhenech probably judging by though the verdict is still out apart from v3.1 self assessed. Linux kernel pfft, who do they think they are. ;)

https://nvd.nist.gov/vuln/detail/CVE-2026-31431

So your CISO is a beancounter?

Microsoft's Copy Fail threat report expects exploitation to ramp up soon. CISA added it to KEV on May 1. Five-phase attack chain, and the TLDR: treat any container RCE as potential host compromise. 732 bytes to root. - https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/

@besendorf für Debian https://security-tracker.debian.org/tracker/CVE-2026-31431

CVE-2026-31431, also known as CopyFail, is a Local Privilege Escalation (LPE) vulnerability in which an attacker can escalate an already compromised and authenticated standard user to root privileges, which are the highest privileges on the host. This vulnerability affects most popular Linux distributions, as well as many virtualized and hardware environments where Linux is present.

The vulnerability is present in the algif_aead module of the Linux kernel, which is responsible for hardware-accelerated cryptography. Canonical, the company behind Ubuntu, pushed out an update that disables the algif_aead module to mitigate the CopyFail vulnerability, however, Canonical notes that this mitigation will not be necessary once the kernel is updated.

Disabling the affected module should make applications fallback from hardware-accelerated cryptography to userspace cryptographic functions. However, because of the complexity and variation of configurations across many environments, it is recommended to test this mitigation in staging first, as some applications may not include or support userspace cryptographic functions. A reboot is also recommended to complete the mitigation, as some applications may require a reboot to trigger the fallback.

To protect systems running Ubuntu and Ubuntu-based distributions against this vulnerability, follow the steps below:

Open a terminal and type:

1. apt changelog kmod

This checks the changelog for the version of the kmod tool currently installed on your system and shows a list of changes, which will confirm whether the CopyFail vulnerability was mitigated. Check the top entry to confirm the mitigation, as shown in the attached screenshot, if the top entry mentions "* Disable loading of algif_aead module to mitigate CVE-2026-31431", you already have the update installed that mitigates the CopyFail vulnerability but if there is no mention of the CVE, continue with the steps below.

2. sudo apt-get update

This will update your package index files so you can install newly released updates.

3. sudo apt-get install --only-upgrade kmod

This command will upgrade only kmod, a tool used to configure kernel modules on Ubuntu, the new release contains the mitigation for your current kernel.

4. sudo reboot

This will reboot the operating system.

5. apt changelog kmod

Repeat the command from the first step to confirm whether the mitigation is in place. The top entry should now say "* Disable loading of algif_aead module to mitigate CVE-2026-31431".

#Ubuntu #Canonical #CopyFail #Linux #CVE #Mitigation #Cyber #CyberSecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a Linux root access bug also known as Copy Fail, to its Known Exploited Vulnerabilities catalog due to active exploitation. This privilege escalation flaw allows unprivileged local users to gain root access by corrupting the kernel's page cache, posing a significant risk to cloud and containerized environments.
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

@clock

I don't know if this helps, but I don't see your kernel listed here: https://debiansupport.com/blog/copy-fail-cve-2026-31431-mitigation/

Edit to add that I also have not seen any differentiation between arm and x86_64 vulnerabilities (in general, not just pi-related).

@clock whilst I was doom-scrolling, this popped up from a few hours ago. I kinda think you're ok since you're on 6.x.

https://explains.social/@veronica/statuses/01KQQZ6X8QEKPBZQYXCA86XW0Y

also:
https://security-tracker.debian.org/tracker/CVE-2026-31431

60 Sekunden Cyber KW18 2026, 27. April - 3. Mai:

Daten von Kunden und Benutzern von Vimeo werden von der Gruppierung ShinyHunters ins Dark Net gestellt, Sicherheitsforscher finden mit Copy Fail eine seit 2017 (!) bestehende Schwachstelle (CVE-2026-31431), mit der man root-Zugriff auf allen bekannteren Linux-Distributionen erhalten kann, das NGO noyb klagt gegen die Hamburger

https://www.60-sekunden-cyber.de/kw18-2026/

#cyber #cybersicherheit #itsicherheit #itsecurity #infosec #threatint #threatintel #news #update

The Internet Last Week

* Ubuntu/Canonical DDoS
https://status.canonical.com/#/incident/KNms6QK9ewuzz-7xUsPsNylV20jEt5kyKsd8A-3ptQEHpOd8VQ40ZQs-KD81fboQXeGZB94okNHdHBGlCv58Sw==
https://techcrunch.com/2026/05/01/ubuntu-services-hit-by-outages-after-ddos-attack/
* Linux copy.fail vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://xint.io/blog/copy-fail-linux-distributions
* GitHub availability
https://github.blog/news-insights/company-news/an-update-on-github-availability/
https://www.githubstatus.com/incidents/ql942tw29yl6
https://www.githubstatus.com/incidents/dbypmw7h77l5
https://www.githubstatus.com/incidents/vq183jvj6vrw
* cPanel/WHM vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://censys.com/blog/the-cpanel-situation-is/

#Ubuntu #Linux #GitHub #cPanel #WHM #Outages #DDoS

CVE-2026-41940: il bug CRLF di cPanel che ha consegnato 44.000 server al ransomware “Sorry”
#CyberSecurity
https://insicurezzadigitale.com/cve-2026-41940-il-bug-crlf-di-cpanel-che-ha-consegnato-44-000-server-al-ransomware-sorry/

APT Campaign Exploits cPanel CVE-2026-41940 to Breach Government and Military Servers Across South-East Asia
#CyberSecurity
https://securebulletin.com/apt-campaign-exploits-cpanel-cve-2026-41940-to-breach-government-and-military-servers-across-south-east-asia/

cPanel / WHM vuln

https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

CVE-2026-41940: il bug CRLF di cPanel che ha consegnato 44.000 server al ransomware “Sorry”

https://insicurezzadigitale.com/cve-2026-41940-il-bug-crlf-di-cpanel-che-ha-consegnato-44-000-server-al-ransomware-sorry/

The Internet Last Week

* Ubuntu/Canonical DDoS
https://status.canonical.com/#/incident/KNms6QK9ewuzz-7xUsPsNylV20jEt5kyKsd8A-3ptQEHpOd8VQ40ZQs-KD81fboQXeGZB94okNHdHBGlCv58Sw==
https://techcrunch.com/2026/05/01/ubuntu-services-hit-by-outages-after-ddos-attack/
* Linux copy.fail vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://xint.io/blog/copy-fail-linux-distributions
* GitHub availability
https://github.blog/news-insights/company-news/an-update-on-github-availability/
https://www.githubstatus.com/incidents/ql942tw29yl6
https://www.githubstatus.com/incidents/dbypmw7h77l5
https://www.githubstatus.com/incidents/vq183jvj6vrw
* cPanel/WHM vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://censys.com/blog/the-cpanel-situation-is/

#Ubuntu #Linux #GitHub #cPanel #WHM #Outages #DDoS

🚨 CVE-2026-42369 (CRITICAL, CVSS 10): GeoVision GV-VMS V20.0.2 stack overflow in gvapi endpoint lets unauthenticated remote attackers execute code as SYSTEM. Restrict remote access, monitor for patches. https://radar.offseq.com/threat/cve-2026-42369-cwe-787-out-of-bounds-write-in-geov-0757b787 #OffSeq #CVE202642369 #infosec #zeroday

🌐 CVE-2026-42368 | CRITICAL privilege escalation in GeoVision GV-LPC2011/LPC2211 v1.10. Remote attackers can gain full control via crafted HTTP requests. No patch — restrict web interface access & monitor traffic. Details: https://radar.offseq.com/threat/cve-2026-42368-cwe-266-incorrect-privilege-assignm-b84e399c #OffSeq #Vuln #IoT #CyberSecurity

🚨 CVE-2026-29200: CRITICAL IDOR in WebPros Comet Backup (20.11.0 – 26.1.1, 26.2.1) lets tenant admins impersonate any end user on the server. No patch yet — restrict admin access and monitor for suspicious cross-tenant activity. https://radar.offseq.com/threat/cve-2026-29200-cwe-639-insecure-direct-object-refe-d3747bfb #OffSeq #infosec #CVE202629200

⚠️ CVE-2026-7712: MEDIUM severity deserialization vuln in MindsDB ≤26.01 (pickle.loads). Public exploit available, remote attack possible. No vendor response yet. Check your exposure. https://radar.offseq.com/threat/cve-2026-7712-deserialization-in-mindsdb-da28edb5 #OffSeq #MindsDB #Vuln #Deserialization

Totolink WA300 (5.2cu.7112_B20190227) faces a CRITICAL buffer overflow (CVE-2026-7719) via http_host in /cgi-bin/cstecgi.cgi. Public exploit out, no patch yet. Limit exposure, monitor closely. https://radar.offseq.com/threat/cve-2026-7719-buffer-overflow-in-totolink-wa300-e943f95d #OffSeq #Vuln #IoTSecurity #CVE20267719

#OT #Advisory VDE-2026-046
VEGA: Unsecured Configuration Interface Allows Unauthorized Access Leading to Privilege Escalation

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.
#CVE CVE-2026-3323

https://certvde.com/en/advisories/vde-2026-046/

#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-046.json