CVE-2026-31431 — "Copy Fail" · LPE & Container Escape
Critical — Local Privilege Escalation + Container Escape
Kernel cryptographic subsystem (AF_ALG / algif_aead). Any local user → root. Any container → host node escape.
Overview
| Field | Detail |
|---|---|
| CVE | CVE-2026-31431 |
| Nickname | Copy Fail |
| Disclosed | 2026-04-29 |
| Component | Linux kernel — AF_ALG interface (algif_aead module) |
| Impact | LPE (user → root), container escape (pod → host) |
| Exploit Requirement | Local code execution (no remote vector) |
Risk by Environment
🔴 High — Multi-tenant / Shared
- Hosting multiple clients on the same node
- Shell access for multiple users
- Running unverified third-party code
Any standard user or pod with exec access can exploit this to full root/host.
🟡 Moderate — Single-tenant / Isolated
- Self-managed servers running only trusted, controlled workloads
- No local access or arbitrary execution by third parties
Still needs patching — just less urgency than multi-tenant.
Permanent Fix
Kernel update once a patched version ships for your distro. Monitor:
- Ubuntu:
ubuntu.com/security/CVE-2026-31431 - RHEL/Alma/Rocky:
access.redhat.com/security/cve/CVE-2026-31431
Mitigation (Pre-Patch Workaround)
Workaround only — apply if you want an immediate mitigation before updating kernel
Debian / Ubuntu
# Block auto-reload
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# Unload immediately (no reboot needed)
rmmod algif_aead 2>/dev/null || true
RHEL / AlmaLinux / RockyLinux
# Block auto-reload
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# Blacklist from initrd
grubby --update-kernel=ALL --args=initcall_blacklist=algif_aead_init
# Reboot required
reboot
Verify module is unloaded
lsmod | grep algif_aead
# Should return nothing
Kubernetes / Container Environments
Check your node image date:
kubectl get node -o wide
# Check OS-IMAGE field for release date
For existing worker nodes — deploy a privileged DaemonSet:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: disable-algif-aead
namespace: kube-system
labels:
app: disable-algif-aead
spec:
selector:
matchLabels:
app: disable-algif-aead
template:
metadata:
labels:
app: disable-algif-aead
spec:
hostPID: true
tolerations:
- operator: Exists
effect: NoSchedule
- operator: Exists
effect: NoExecute
initContainers:
- name: disable-algif-aead
image: alpine:3.23
securityContext:
privileged: true
command:
- /bin/sh
- -c
- |
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null || true
volumeMounts:
- name: modprobe-d
mountPath: /etc/modprobe.d
containers:
- name: pause
image: registry.k8s.io/pause:3.10
resources:
limits:
cpu: 1m
memory: 8Mi
volumes:
- name: modprobe-d
hostPath:
path: /etc/modprobe.d
Rollback (If Services Break)
algif_aead is rarely needed by standard applications — most workloads are unaffected.
If you observe crypto acceleration failures after mitigation:
sudo rm /etc/modprobe.d/disable-algif.conf
sudo modprobe algif_aead
Checklist
- Identify all affected nodes (kernel version pre-patch)
- Apply
modprobeworkaround on Debian/Ubuntu servers - Apply
grubbyblacklist + reboot on RHEL-family servers - Verify
lsmod | grep algif_aeadreturns empty on all nodes - Deploy DaemonSet on existing K8s worker nodes
- Monitor distro advisory for patched kernel release
- Upgrade kernel and reboot once patch available
- Remove workaround files post-patch (optional cleanup)
