Remediation Guide: Linux Kernel "Copy Fail" (CVE-2026-31431)

Internal procedure for identifying and remediating the CVE-2026-31431 vulnerability across Ubuntu and RHEL-based distributions.

Linux Kernel "Copy Fail" Remediation Guide

This guide provides the internal IT procedure for identifying and fixing CVE-2026-31431. Perform the verification step first to determine if a system requires action.


Automated Mitigation Script

For most hosts the steps below can be run interactively via the CSS team's dirty-copy-mit.sh script. It auto-detects Ubuntu vs RHEL, performs the verification and impact checks described in this guide, and applies the appropriate vendor-recommended mitigation. The same script also covers Copy Fail (CVE-2026-31431). Reboots require an explicit typed confirmation.

Repository: https://git.doit.wisc.edu/CPKLECKER/dirtyfragmitigation

Download and run:

curl -fLO 'https://git.doit.wisc.edu/CPKLECKER/dirtyfragmitigation/-/raw/main/dirty-copy-mit.sh'
chmod +x dirty-copy-mit.sh
sudo ./dirty-copy-mit.sh

Or run from the gitlab directly

From the menu, select options 1, 2, or 3 for the Dirty Frag workflow. Option a reports the status of both Dirty Frag and Copy Fail at once.

The remainder of this document describes the manual procedure, which the script implements step-for-step. Use the manual steps when scripted execution is not available, when remediating non-standard environments, or for audit and review.


1. Ubuntu Systems (Trusty through Noble)

Step 1.1: Verify Status

Run the following command to check if the algif_aead module is currently blocked:

modprobe -n -v algif_aead

  • Already Mitigated: If the output is install /bin/false, no further action is required.
  • Vulnerable: If the output shows a path to a .ko file or no output, proceed to Step 1.2.

Step 1.2: Check Reference for Target Version

Ubuntu Target kmod Versions
Release Fixed kmod Version
Questing (25.10) 34.2-2ubuntu1.1
Noble (24.04) 31+20240202-2ubuntu7.2
Jammy (22.04) 29-1ubuntu1.1
Focal (20.04) 27-1ubuntu2.1+esm1

Step 1.3: Apply Patch

Execute the following to update the kmod package and verify the block:

sudo apt update && sudo apt install --only-upgrade kmod && modprobe -n -v algif_aead

Step 1.4: Manual Mitigation (If Update Fails)

If the package repository is not yet providing the patch, manually disable the algif_aead module:

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif_aead.conf

Immediate Action Required: After applying this change, reboot the system to ensure the module is fully unloaded:

sudo reboot

Step 1.5: Verify Manual Mitigation

After reboot, run the following command to verify the module is no longer loaded in the kernel:

grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"


2. RHEL Variants (Rocky, Alma, RHEL 8/9/10)

Step 2.1: Verify Kernel Version

Check your current running kernel version:

uname -r

Compare your output against the Fixed Version list below:

  • RHEL 10: 6.12.0-124.52.2.el10_1
  • RHEL 9: 5.14.0-611.49.2.el9_7
  • RHEL 8: 4.18.0-553.121.1.el8_10

If your version is lower than the target, proceed to Step 2.2.

Step 2.2: Verify Mitigation Status

Check if the emergency blacklist is already active in the boot parameters:

cat /proc/cmdline | grep "initcall_blacklist=algif_aead_init"

If there is no output, the system is vulnerable. Proceed to Step 2.3.

Step 2.3: Apply Emergency Mitigation

If a patched kernel is unavailable, apply the bootloader blacklist and reboot:

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init" && sudo reboot

Step 2.4: Standard Patching (When Available)

When the repository provides the fixed version, update the kernel:

sudo dnf update kernel -y && sudo reboot



Keywords:
How-To, Security, Linux, Kernel, CVE-2026-31431, Patching, Internal IT 
Doc ID:
161111
Owned by:
Conor K. in CALS Information Technology
Created:
2026-05-05
Updated:
2026-05-12
Sites:
CALS Information Technology