Mitigations for CopyFail linux local privilege escalation vulnerability

[fln]

A new local privilege escalation vulnerability named CopyFail CVE-2026-31431 was recently disclosed. It affects almost all of the systems and allows local user to get root access on the system. The Linux distribution maintainers are busy with releasing hot-fixes.

We are sharing an immediate mitigation for server administrators until we receive a fix from upstream.

For Debian, Ubuntu (and other Debian) based systems, the exploitable code is in a separate kernel module. So it is enough to just blacklist this module and unload it if it is already loaded. Commands:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null

For RHEL based systems, the explotable code is built-in. It can be disabled with extra kernel boot parameter and requires a server restart. Commands:

echo 'GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} initcall_blacklist=algif_aead_init"' >> /etc/default/grub
grub2-mkconfig -o /etc/grub2.cfg
grubby --args initcall_blacklist=algif_aead_init --update-kernel=ALL --no-etc-grub-update
reboot

Note: the double approach first changing /etc/default/grub and then directly with grubby is to make sure same set of commands works on all RHEL systems and the change is persistent. The grubby command alone is enough to update the kernel arguments but they would be lost on the next kernel update.

 

[ccto]

F.Y.I. - After reboot, we may issue "cat /proc/cmdline" to double-verify.

 

[fln]

Note, the instructions for RHEL is updated, the call to grubby is extended with --no-etc-grub-update to avoid touching the /etc/default/grub file. Without this argument it can replace other custom kernel parameters that was added there before applying the mitigation commands.