Sobre la vulnerabilidad del Kernel (CVE-2026-31431) conocida con el nombre #CopyFail (más información: https://copy.fail)

Comentaros que ya existen parches disponibles para la mayoría de distribuciones más conocidas:

Anuncio de Ubuntu: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

Security Tracker de Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431

Anuncio de AlmaLinux: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

Anuncio de Rocky Linux: https://kb.ciq.com/article/rocky-linux/rl-cve-2026-31431-mitigation

Security Tracker de Arch Linux: https://security.archlinux.org/CVE-2026-31431

AlmaLinux released critical kernel patches to fix Copy Fail (CVE-2026-31431), a high-severity vulnerability. Update your AlmaLinux systems today.

Full details here: https://ostechnix.com/almalinux-copy-fail-cve-2026-31431-fix/

#Copyfail #CVE202631431 #Almalinux #Linuxkernel #Patch #Linuxsecurity

732 bytes to root on every major Linux distro. No race condition. 100% reliable.

That's CVE-2026-31431 (Copy Fail) and it crosses container boundaries, which makes the flood of AI agent sandboxing content this week land differently.
Containers vs gVisor vs microVMs vs Wasm, Lima + libvirt setups, NixOS MicroVMs — all worth a read now.

Also: Claude Code agent teams, PS5 running Linux, Greg KH hunting kernel bugs with a local LLM, and a $20 SFP for 26ns NTP accuracy.

https://www.underkube.com/2026-05-03-what-edu-is-reading-this-week-apr-27-may-3-2026/

⚠️ A new #Linux flaw is now under active exploitation.

CISA added CVE-2026-31431 to its KEV list. The bug lets low-privilege users gain full root access. Patches released.

Fix deadline: May 15, 2026.

Read: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

Copy.fail: a small Linux kernel bug with an unusually big blast radius https://jorijn.com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bug-explained/

No setuid. No interactive users. No Python. No shell. Talos Linux barely flinched at Copy Fail. The kernel's still vulnerable and patched kernels shipped before disclosure, but the defaults carried the day. - https://www.siderolabs.com/blog/exploit-fail-cve-2026-31431-copy-fail-barely-scratches-talos-linux

@zhenech probably judging by though the verdict is still out apart from v3.1 self assessed. Linux kernel pfft, who do they think they are. ;)

https://nvd.nist.gov/vuln/detail/CVE-2026-31431

So your CISO is a beancounter?

Microsoft's Copy Fail threat report expects exploitation to ramp up soon. CISA added it to KEV on May 1. Five-phase attack chain, and the TLDR: treat any container RCE as potential host compromise. 732 bytes to root. - https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/

@besendorf für Debian https://security-tracker.debian.org/tracker/CVE-2026-31431

CVE-2026-31431, also known as CopyFail, is a Local Privilege Escalation (LPE) vulnerability in which an attacker can escalate an already compromised and authenticated standard user to root privileges, which are the highest privileges on the host. This vulnerability affects most popular Linux distributions, as well as many virtualized and hardware environments where Linux is present.

The vulnerability is present in the algif_aead module of the Linux kernel, which is responsible for hardware-accelerated cryptography. Canonical, the company behind Ubuntu, pushed out an update that disables the algif_aead module to mitigate the CopyFail vulnerability, however, Canonical notes that this mitigation will not be necessary once the kernel is updated.

Disabling the affected module should make applications fallback from hardware-accelerated cryptography to userspace cryptographic functions. However, because of the complexity and variation of configurations across many environments, it is recommended to test this mitigation in staging first, as some applications may not include or support userspace cryptographic functions. A reboot is also recommended to complete the mitigation, as some applications may require a reboot to trigger the fallback.

To protect systems running Ubuntu and Ubuntu-based distributions against this vulnerability, follow the steps below:

Open a terminal and type:

1. apt changelog kmod

This checks the changelog for the version of the kmod tool currently installed on your system and shows a list of changes, which will confirm whether the CopyFail vulnerability was mitigated. Check the top entry to confirm the mitigation, as shown in the attached screenshot, if the top entry mentions "* Disable loading of algif_aead module to mitigate CVE-2026-31431", you already have the update installed that mitigates the CopyFail vulnerability but if there is no mention of the CVE, continue with the steps below.

2. sudo apt-get update

This will update your package index files so you can install newly released updates.

3. sudo apt-get install --only-upgrade kmod

This command will upgrade only kmod, a tool used to configure kernel modules on Ubuntu, the new release contains the mitigation for your current kernel.

4. sudo reboot

This will reboot the operating system.

5. apt changelog kmod

Repeat the command from the first step to confirm whether the mitigation is in place. The top entry should now say "* Disable loading of algif_aead module to mitigate CVE-2026-31431".

#Ubuntu #Canonical #CopyFail #Linux #CVE #Mitigation #Cyber #CyberSecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a Linux root access bug also known as Copy Fail, to its Known Exploited Vulnerabilities catalog due to active exploitation. This privilege escalation flaw allows unprivileged local users to gain root access by corrupting the kernel's page cache, posing a significant risk to cloud and containerized environments.
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

@clock

I don't know if this helps, but I don't see your kernel listed here: https://debiansupport.com/blog/copy-fail-cve-2026-31431-mitigation/

Edit to add that I also have not seen any differentiation between arm and x86_64 vulnerabilities (in general, not just pi-related).

@clock whilst I was doom-scrolling, this popped up from a few hours ago. I kinda think you're ok since you're on 6.x.

https://explains.social/@veronica/statuses/01KQQZ6X8QEKPBZQYXCA86XW0Y

also:
https://security-tracker.debian.org/tracker/CVE-2026-31431

The Internet Last Week

* Ubuntu/Canonical DDoS
https://status.canonical.com/#/incident/KNms6QK9ewuzz-7xUsPsNylV20jEt5kyKsd8A-3ptQEHpOd8VQ40ZQs-KD81fboQXeGZB94okNHdHBGlCv58Sw==
https://techcrunch.com/2026/05/01/ubuntu-services-hit-by-outages-after-ddos-attack/
* Linux copy.fail vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://xint.io/blog/copy-fail-linux-distributions
* GitHub availability
https://github.blog/news-insights/company-news/an-update-on-github-availability/
https://www.githubstatus.com/incidents/ql942tw29yl6
https://www.githubstatus.com/incidents/dbypmw7h77l5
https://www.githubstatus.com/incidents/vq183jvj6vrw
* cPanel/WHM vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://censys.com/blog/the-cpanel-situation-is/

#Ubuntu #Linux #GitHub #cPanel #WHM #Outages #DDoS

CVE-2026-41940: il bug CRLF di cPanel che ha consegnato 44.000 server al ransomware “Sorry”
#CyberSecurity
https://insicurezzadigitale.com/cve-2026-41940-il-bug-crlf-di-cpanel-che-ha-consegnato-44-000-server-al-ransomware-sorry/

APT Campaign Exploits cPanel CVE-2026-41940 to Breach Government and Military Servers Across South-East Asia
#CyberSecurity
https://securebulletin.com/apt-campaign-exploits-cpanel-cve-2026-41940-to-breach-government-and-military-servers-across-south-east-asia/

2026-W18 — Weekly Threat Roundup

🚨 Critical cPanel authentication bypass (CVE-2026-41940) under mass exploitation for ransomware deployment
🔗 Supply chain attacks hit SAP packages and PyTorch Lightning, stealing developer credentials
👮 Two US cybersecurity professionals sentenced to 4 years for conducting BlackCat ransomware at…

https://threatnoir.com/weekly/2026-w18

#infosec #cybersecurity #threatintel

cPanel / WHM vuln

https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

CVE-2026-41940: il bug CRLF di cPanel che ha consegnato 44.000 server al ransomware “Sorry”

https://insicurezzadigitale.com/cve-2026-41940-il-bug-crlf-di-cpanel-che-ha-consegnato-44-000-server-al-ransomware-sorry/

The Internet Last Week

* Ubuntu/Canonical DDoS
https://status.canonical.com/#/incident/KNms6QK9ewuzz-7xUsPsNylV20jEt5kyKsd8A-3ptQEHpOd8VQ40ZQs-KD81fboQXeGZB94okNHdHBGlCv58Sw==
https://techcrunch.com/2026/05/01/ubuntu-services-hit-by-outages-after-ddos-attack/
* Linux copy.fail vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://xint.io/blog/copy-fail-linux-distributions
* GitHub availability
https://github.blog/news-insights/company-news/an-update-on-github-availability/
https://www.githubstatus.com/incidents/ql942tw29yl6
https://www.githubstatus.com/incidents/dbypmw7h77l5
https://www.githubstatus.com/incidents/vq183jvj6vrw
* cPanel/WHM vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-41940
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://censys.com/blog/the-cpanel-situation-is/

#Ubuntu #Linux #GitHub #cPanel #WHM #Outages #DDoS

🚨 CVE-2026-42369 (CRITICAL, CVSS 10): GeoVision GV-VMS V20.0.2 stack overflow in gvapi endpoint lets unauthenticated remote attackers execute code as SYSTEM. Restrict remote access, monitor for patches. https://radar.offseq.com/threat/cve-2026-42369-cwe-787-out-of-bounds-write-in-geov-0757b787 #OffSeq #CVE202642369 #infosec #zeroday

May 3, 2026 Cyber Brief:
AI identities outpacing governance.
Defender exploited (CVE-2026-33825).
Linux LPE added to KEV.
ScreenConnect resurfaces.
ADT breach confirmed.
OFAC freezes $344M in USDT.

Your security stack is now part of your attack surface.

https://thecybermind.co/2026/05/03/executive-brief-may-3-2026/?utm_source=mastodon&utm_medium=jetpack_social

🚨 HIGH severity: CVE-2026-4061 affects Geo Mashup ≤1.13.18 (WordPress). Unauthenticated SQL injection via 'map_post_type' lets attackers extract sensitive DB data if Geo Search is enabled. Disable Geo Search for now. https://radar.offseq.com/threat/cve-2026-4061-cwe-89-improper-neutralization-of-sp-374a2408 #OffSeq #WordPress #Vuln

🚨 HIGH severity buffer overflow in Edimax BR-6208AC (≤1.02) via /goform/setWAN. Exploit public, no vendor fix. Monitor and segment affected devices! CVE-2026-7685 https://radar.offseq.com/threat/cve-2026-7685-buffer-overflow-in-edimax-br-6208ac-c0df4819 #OffSeq #Vuln #IoTSecurity

⚠️ CVE-2026-7712: MEDIUM severity deserialization vuln in MindsDB ≤26.01 (pickle.loads). Public exploit available, remote attack possible. No vendor response yet. Check your exposure. https://radar.offseq.com/threat/cve-2026-7712-deserialization-in-mindsdb-da28edb5 #OffSeq #MindsDB #Vuln #Deserialization

Totolink WA300 (5.2cu.7112_B20190227) faces a CRITICAL buffer overflow (CVE-2026-7719) via http_host in /cgi-bin/cstecgi.cgi. Public exploit out, no patch yet. Limit exposure, monitor closely. https://radar.offseq.com/threat/cve-2026-7719-buffer-overflow-in-totolink-wa300-e943f95d #OffSeq #Vuln #IoTSecurity #CVE20267719