Remediation Guide: Linux Kernel "Copy Fail" (CVE-2026-31431)
Linux Kernel "Copy Fail" Remediation Guide
This guide provides the internal IT procedure for identifying and fixing CVE-2026-31431. Perform the verification step first to determine if a system requires action.
Automated Mitigation Script
For most hosts the steps below can be run interactively via the CSS team's dirty-copy-mit.sh script. It auto-detects Ubuntu vs RHEL, performs the verification and impact checks described in this guide, and applies the appropriate vendor-recommended mitigation. The same script also covers Copy Fail (CVE-2026-31431). Reboots require an explicit typed confirmation.
Repository: https://git.doit.wisc.edu/CPKLECKER/dirtyfragmitigation
Download and run:
curl -fLO 'https://git.doit.wisc.edu/CPKLECKER/dirtyfragmitigation/-/raw/main/dirty-copy-mit.sh'
chmod +x dirty-copy-mit.sh
sudo ./dirty-copy-mit.sh
Or run from the gitlab directly
sudo bash -c "$(curl -s https://git.doit.wisc.edu/CPKLECKER/dirtyfragmitigation/-/raw/main/dirty-copy-mit.sh)"
From the menu, select options 1, 2, or 3 for the Dirty Frag workflow. Option a reports the status of both Dirty Frag and Copy Fail at once.
The remainder of this document describes the manual procedure, which the script implements step-for-step. Use the manual steps when scripted execution is not available, when remediating non-standard environments, or for audit and review.
1. Ubuntu Systems (Trusty through Noble)
Step 1.1: Verify Status
Run the following command to check if the algif_aead module is currently blocked:
modprobe -n -v algif_aead
- Already Mitigated: If the output is
install /bin/false, no further action is required. - Vulnerable: If the output shows a path to a
.kofile or no output, proceed to Step 1.2.
Step 1.2: Check Reference for Target Version
| Release | Fixed kmod Version |
|---|---|
| Questing (25.10) | 34.2-2ubuntu1.1 |
| Noble (24.04) | 31+20240202-2ubuntu7.2 |
| Jammy (22.04) | 29-1ubuntu1.1 |
| Focal (20.04) | 27-1ubuntu2.1+esm1 |
Step 1.3: Apply Patch
Execute the following to update the kmod package and verify the block:
sudo apt update && sudo apt install --only-upgrade kmod && modprobe -n -v algif_aead
Step 1.4: Manual Mitigation (If Update Fails)
If the package repository is not yet providing the patch, manually disable the algif_aead module:
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif_aead.conf
Immediate Action Required: After applying this change, reboot the system to ensure the module is fully unloaded:
sudo reboot
Step 1.5: Verify Manual Mitigation
After reboot, run the following command to verify the module is no longer loaded in the kernel:
grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"
2. RHEL Variants (Rocky, Alma, RHEL 8/9/10)
Step 2.1: Verify Kernel Version
Check your current running kernel version:
uname -r
Compare your output against the Fixed Version list below:
- RHEL 10:
6.12.0-124.52.2.el10_1 - RHEL 9:
5.14.0-611.49.2.el9_7 - RHEL 8:
4.18.0-553.121.1.el8_10
If your version is lower than the target, proceed to Step 2.2.
Step 2.2: Verify Mitigation Status
Check if the emergency blacklist is already active in the boot parameters:
cat /proc/cmdline | grep "initcall_blacklist=algif_aead_init"
If there is no output, the system is vulnerable. Proceed to Step 2.3.
Step 2.3: Apply Emergency Mitigation
If a patched kernel is unavailable, apply the bootloader blacklist and reboot:
sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init" && sudo reboot
Step 2.4: Standard Patching (When Available)
When the repository provides the fixed version, update the kernel:
sudo dnf update kernel -y && sudo reboot