#CopyFail **UPDATE 2025-05-05:** Red Hat has released the kernel updates for Red Hat Enterprise Linux 9 and 10. So if you followed the steps I described in this thread, you can now simply do

dnf update

on affected machines to get the new kernel and do a

grubby --update-kernel=ALL --remove-args='initcall_blacklist=algif_aead_init'

to remove the mitigation described in this post, before you finish the process with a

reboot

to switch to the fixed kernel.

https://access.redhat.com/security/cve/cve-2026-31431

Heise berichtet: Die Linux-Lücke „Copy Fail“ (CVE-2026-31431) wird bereits aktiv ausgenutzt — lokaler Root-Zugriff. Admins sollten sofort verfügbare Kernel-Updates/Packages einspielen. Details & PoC: https://www.heise.de/news/Linux-Luecke-Copy-Fail-wird-bereits-angegriffen-11279850.html 🔥🛡️🐧 #Linux #Security #CVE202631431

Edit/Korrektur: Laut @giggls
ist ein Container-Escape nicht möglich.

Kritische #Kernel #Lücke bedroht zahlreiche #Linux Systeme - #fosstopia

#IT #Security #Forscher haben eine schwere #Schwachstelle im #Linux_Kernel offengelegt (CVE-2026-31431). Die Lücke trägt den Namen Copy Fail und erlaubt lokalen Nutzern den Zugriff auf höchste Systemrechte (root). Angreifer können gezielt vier Bytes in den Seitencache beliebiger Dateien schreiben und so die Kontrolle über ein System übernehmen...

https://fosstopia.de/kritische-kernel-lucke-26/

Security teams: "Copy Fail" (CVE-2026-31431) is now being exploited — a local→root Linux kernel LPE affecting many distros since 2017. Patches are available; update immediately. Details: https://www.heise.de/en/news/Linux-vulnerability-Copy-Fail-is-already-being-attacked-11279917.html 🚨🛡️ #Linux #infosec #CVE202631431

AlmaLinux 10.2 Beta is now live!

The release team of AlmaLinux, which is a free binary-compatible alternative to a commercial Linux distribution, Red Hat Enterprise Linux, has just released the beta version of the upcoming point release, which is AlmaLinux v10.2.

This beta version of AlmaLinux brings many improvements over the current version, which is version v10.1. The version is available for the following architectures listed:

• Intel/AMD (x86_64)
• Intel/AMD (x86_64_v2)
• Intel/AMD 32-bit (i686) (userspace only, no installation)
• ARM64 (aarch64)
• IBM PowerPC (ppc64le)
• IBM Z (s390x)

However, this beta version of AlmaLinux is not a production release, and is not guaranteed to be stable, especially when it comes to production installations. For users who rely on stability, you’ll have to wait until the official release. If you are curious about this beta version, and you intend to test and to report bugs and issues, you can download the beta version here.

AlmaLinux 10.2 brings i686 userspace packages to enable legacy 32-bit software, CI pipelines, and containerized workloads for users who rely on them in their workflow. It also presents you with updated toolsets and packages, such as the updated MariaDB 11.8, PHP 8.4, and Python 3.14. Security updates have also been provided, such as OpenSSL, Keylime, and SELinux policies, to enhance your computer’s security and to reduce attack vectors.

Also, a severe vulnerability that was left unnoticed since 2017, called Copy Fail (CVE-2026-31431) that exposed a flaw in authencesn, has been patched in this version of AlmaLinux, along with versions v10.x, v9.x, and v8.x.

You can learn more about this beta version here.

Heads up: CVE-2026-31431 (Copy Fail) is a kernel crypto vulnerability affecting Rocky Linux. Our community is on it: tracking patches and sharing Rocky-specific guidance as it develops.

If you're running Rocky in production, check the forum thread for the latest:

https://forums.rockylinux.org/t/cve-2026-31431-copy-fail-linux-kernel-crypto-vulnerability/20375/8
#RockyLinux #LinuxSecurity #OpenSource

"CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros — unpatched systems may remain vulnerable to attack"

"CISA warns of the actively exploited “Copy Fail” Linux flaw (CVE-2026-31431), enabling root access, with a public exploit released before patches were ready."

https://www.tomshardware.com/software/linux/cisa-flags-actively-exploited-copy-fail-linux-kernel-flaw-enabling-root-takeover-across-major-distros-unpatched-systems-may-remain-vulnerable-to-attack

#Linux

60 Sekunden Cyber KW18 2026, 27. April - 3. Mai:

Daten von Kunden und Benutzern von Vimeo werden von der Gruppierung ShinyHunters ins Dark Net gestellt, Sicherheitsforscher finden mit Copy Fail eine seit 2017 (!) bestehende Schwachstelle (CVE-2026-31431), mit der man root-Zugriff auf allen bekannteren Linux-Distributionen erhalten kann, das NGO noyb klagt gegen die Hamburger

https://www.60-sekunden-cyber.de/kw18-2026/

#cyber #cybersicherheit #itsicherheit #itsecurity #infosec #threatint #threatintel #news #update

copy.fail (CVE-2026-31431): a small Linux kernel bug with an unusually big blast radius | Jorijn Schrijvershof https://jorijn.com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bug-explained/

@christopherkunz https://security-tracker.debian.org/tracker/CVE-2026-31431

"CopyFail" (CVE-2026-31431) : un utilisateur local sans privilège peut écrire 4 bytes contrôlés dans le cache de TOUT fichier lisible ➡️ élévation root. Si vous avez du multi-tenant, des conteneurs, des CI runners non fiables : mettre à jour. Ordinateur perso ? Moins urgent mais mettez à jour quand même.

L'article : https://xint.io/blog/copy-fail-linux-distributions (en)

Le site : https://copy.fail/ (en)
#linux #cybersecurity

https://security-tracker.debian.org/tracker/CVE-2026-31431

« In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. »

#cve #debian #cybersecurity

Falla in cPanel e WHM mette a rischio gli account amministrativi sui server di hosting

@informatica
La pubblicazione di un PoC per la CVE-2026-41940 espone cPanel & WHM e WP Squared a rischi concreti di takeover. L’authentication bypass può compromettere server hosting e siti WordPress. Analisi tecnica, impatti e contromisure per

cPanel zero-day active:
40K+ servers hit
CVE-2026-41940
→ auth bypass
→ admin access
Patch immediately.

Source: https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/

Follow @technadu

#Infosec #ZeroDay #CyberSecurity

🚨 In this week’s newsletter, we cover CVE-2026-41940, a cPanel & WHM authentication bypass that puts entire hosting environments at risk. We break down how it enables admin access and what defenders should do next.

Read the full analysis and protect your systems 👉 https://www.crowdsec.net/vulntracking-report/cve-2026-41940-cpanel-whm-authentication-bypass-exploitation

📰 cPanel Zero-Day Auth Bypass (CVE-2026-41940) Actively Exploited for Months Before Patch

🚨 CRITICAL ZERO-DAY 🚨 cPanel & WHM auth bypass (CVE-2026-41940, CVSS 9.8) exploited for months before patch! Unauthenticated attackers can get root access. 1.5M instances exposed. Patch NOW! #cPanel #ZeroDay #CVE #WebHosting

🔗 https://cyber.netsecops.io

Cyber Journaal S02E53: cPanel CVE-2026-41940 leidde tot 44.000 gecompromitteerde installaties, ShinyHunters lekte 215.600 Aman Resorts accounts en Raptor Supplies Nederland staat op het darkweb.

➤ https://www.ccinfo.nl/journaal/3150984_cpanel-44-000-installaties-gecompromitteerd-shinyhunters-lekt-aman-resorts-en-raptor-supplies-wemeldinge-op-darkweb

#cybersecurity #datalek #infosec

FreeBSD DHCP Client Flaw CVE-2026-42511 Allows Root Code Execution via Rogue DHCP Server
#CyberSecurity
https://securebulletin.com/freebsd-dhcp-client-flaw-cve-2026-42511-allows-root-code-execution-via-rogue-dhcp-server/

Not sure if it was a good idea to look this closely: CVE-2026-42511 (#freebsd #dhclient) looks awfully similar to CVE-2011-0997 (isc-dhcp).

🚨 CVE-2026-42369 (CRITICAL, CVSS 10): GeoVision GV-VMS V20.0.2 stack overflow in gvapi endpoint lets unauthenticated remote attackers execute code as SYSTEM. Restrict remote access, monitor for patches. https://radar.offseq.com/threat/cve-2026-42369-cwe-787-out-of-bounds-write-in-geov-0757b787 #OffSeq #CVE202642369 #infosec #zeroday

Several vulnerabilities in #Apache HTTP Server 2.4 have been fixed in release 2.4.67. The most severe of these are:

- CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset

- CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

- CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack

https://httpd.apache.org/security/vulnerabilities_24.html

#CVE_2026_23918 #CVE_2026_24072 #CVE_2026_33006 #infosec #cybersecurity

Read-only ArgoCD access + one annotation = every Kubernetes secret in the cluster, plaintext. CVE-2026-43824. Fixed in 3.2.11 and 3.3.9. If you're running 3.2.x or 3.3.x, upgrade today.

CHERI-Speichersicherheit reduziert LLM-gefundene FreeBSD-Schwachstelle CVE-2026-4747

https://www.all-about-security.de/cheri-speichersicherheit-reduziert-llm-gefundene-freebsd-schwachstelle-cve-2026-4747/

#llm #Freebsd