Ah, the #copyfail clickbait posts are coming.
-
Ah, the #copyfail clickbait posts are coming. Here’s my contribution. On your Linux machine add
initcall_blacklist=algif_aead_init
to your kernel boot commandline (typically in grub). Reboot. You are now safe until the updated kernel packages become available. For distributions with the `grubby` command this is done as root with
# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
This mitigation comes courtesy of Red Hat. Our engineers keep you safe
1/4
@jwildeboer I'm confused somewhat by how distros didn't pick it up, looks like some don't have representatives on the kernel list?
-
@jwildeboer Apparently GrapheneOS (and Android in general?) is protected against CopyFail through the SELinux configuration.
Do you happen to know how that is achieved?
-
@sibrosan My approach works independently of it being a module or not. So as far as mitigations go, it’s a bit more universal. And in a few days we all have updated kernel packages anyway.
@jwildeboer Apparently in Ubuntu the vulnerability is in a module.
Of cou rse that may not be the case if you replaced the kernel with a custom one.IMO for ordinary Ubuntu users who are not familiar with tinkering with their system, the quickest and easiest fix is to run the Update Manager.
-
@jwildeboer Apparently in Ubuntu the vulnerability is in a module.
Of cou rse that may not be the case if you replaced the kernel with a custom one.IMO for ordinary Ubuntu users who are not familiar with tinkering with their system, the quickest and easiest fix is to run the Update Manager.
@sibrosan In other distros it’s compiled into the kernel, so not a module. I am trying to share immediate mitigation. I’m not interested in yet another distro war.
-
Ah, the #copyfail clickbait posts are coming. Here’s my contribution. On your Linux machine add
initcall_blacklist=algif_aead_init
to your kernel boot commandline (typically in grub). Reboot. You are now safe until the updated kernel packages become available. For distributions with the `grubby` command this is done as root with
# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
This mitigation comes courtesy of Red Hat. Our engineers keep you safe
1/4
@jwildeboer fake fact that makes perfect sense to a cockney speaker.
-
@sibrosan In other distros it’s compiled into the kernel, so not a module. I am trying to share immediate mitigation. I’m not interested in yet another distro war.
@jwildeboer Sure! My intention was just a heads-up to fellow #Ubuntu users who are not too familiar with things like adding stuff to your kernel boot commandline.
-
Ah, the #copyfail clickbait posts are coming. Here’s my contribution. On your Linux machine add
initcall_blacklist=algif_aead_init
to your kernel boot commandline (typically in grub). Reboot. You are now safe until the updated kernel packages become available. For distributions with the `grubby` command this is done as root with
# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
This mitigation comes courtesy of Red Hat. Our engineers keep you safe
1/4
Some more details from our CVE page on CVE-2026-31431 at https://access.redhat.com/security/cve/cve-2026-31431 For more infos also on availability of updates see https://nvd.nist.gov/vuln/detail/CVE-2026-31431and https://www.cve.org/CVERecord?id=CVE-2026-31431
2/4
-
@jwildeboer fake fact that makes perfect sense to a cockney speaker.
@grumpasaurus What is fake about the mitigation and the vulnerability in your opinion? And why do you think that insinuating that under my post where I try to help my fellow sysadmins is helpful?
-
@jwildeboer Sure! My intention was just a heads-up to fellow #Ubuntu users who are not too familiar with things like adding stuff to your kernel boot commandline.
@sibrosan Now is a good time to learn about it, I'd say
-
@grumpasaurus What is fake about the mitigation and the vulnerability in your opinion? And why do you think that insinuating that under my post where I try to help my fellow sysadmins is helpful?
@jwildeboer sorry let me rephrase my joke.
"algif_aead_init" sounds like cockney slang
-
@jwildeboer sorry let me rephrase my joke.
"algif_aead_init" sounds like cockney slang
@grumpasaurus Ah, thx!
-
Some more details from our CVE page on CVE-2026-31431 at https://access.redhat.com/security/cve/cve-2026-31431 For more infos also on availability of updates see https://nvd.nist.gov/vuln/detail/CVE-2026-31431and https://www.cve.org/CVERecord?id=CVE-2026-31431
2/4
Here is @Larvitz gist that gives you an Ansible playbook to deploy the mitigation on (big) fleets: https://burningboard.net/@Larvitz/116498775760655365
3/4
-
Here is @Larvitz gist that gives you an Ansible playbook to deploy the mitigation on (big) fleets: https://burningboard.net/@Larvitz/116498775760655365
3/4
The TL;DR of #CopyFail in my opinion: Due to an unusual (I personally think irresponsible) disclosure, we sysadmins are now dealing with having to push out an immediate mitigation until the updated kernel packages become available. I am trying to help in a pragmatic way. This too will pass, but it also shows that running Linux servers comes with responsibilities to protect your machines and users.
4/4
-
@sibrosan Now is a good time to learn about it, I'd say
I´d like to see widespread migration of ordinary computer users from MS Windows to Linux. And I regard awareness that it's easy to keep yourself safe as helpful, and the impression that you need to type complicated stuff in a terminal window not so much.
-
The TL;DR of #CopyFail in my opinion: Due to an unusual (I personally think irresponsible) disclosure, we sysadmins are now dealing with having to push out an immediate mitigation until the updated kernel packages become available. I am trying to help in a pragmatic way. This too will pass, but it also shows that running Linux servers comes with responsibilities to protect your machines and users.
4/4
@jwildeboer Thank you for this!
One question, if I understand that correctly it's a local privilege escalation, right?
So assuming there's no RCE present elsewhere, and I'm the only account on the system, I can relax about CopyFail? -
@jwildeboer I'm confused somewhat by how distros didn't pick it up, looks like some don't have representatives on the kernel list?
-
@jwildeboer Thank you for this!
One question, if I understand that correctly it's a local privilege escalation, right?
So assuming there's no RCE present elsewhere, and I'm the only account on the system, I can relax about CopyFail?@blindcoder Yes, it needs local user access. But that could also be tunnelled through an exploitable Wordpress install or other PHP etc stuff. SELinux might already help in that case, but my general rule would be: If the machine is exposed to the internet, deploy the mitigation. For machines that are not open to the internet, like homelabs etc it is an acceptable risk to wait for the updated kernel packages.
-
@jwildeboer Thank you for this!
One question, if I understand that correctly it's a local privilege escalation, right?
So assuming there's no RCE present elsewhere, and I'm the only account on the system, I can relax about CopyFail?@blindcoder @jwildeboer That's my understanding as well, but if an intruder somehow manages to run shell or custom app you might be in trouble
-
@jwildeboer Thank you for this!
One question, if I understand that correctly it's a local privilege escalation, right?
So assuming there's no RCE present elsewhere, and I'm the only account on the system, I can relax about CopyFail?@blindcoder @jwildeboer
It appears so.As long as by "system" you mean hardware and not a container (e.g. docker).
-
@jwildeboer I'm confused somewhat by how distros didn't pick it up, looks like some don't have representatives on the kernel list?
@larsmb Could be. I guess the topic is a bit more complex. Some distros have `algif_aead` as module, so you can do the big hammer approach and `rmmod` it, other distros have `algif_aead` compiled into the kernel, so you need a more surgical approach, like the one I described. The surgical approach however has the advantage of working for both setups.
