On April 28, a critical authentication bypass in cPanel forced hosting providers to take control panels offline globally while active exploits were confirmed in the wild. On April 29, researchers at Theori disclosed CVE-2026-31431, named Copy Fail: a Linux kernel privilege escalation affecting virtually all mainstream distributions since 2017, exploitable by any unprivileged user with local shell access, using a 732-byte Python script that requires no special tools and works unmodified across affected distributions. Two critical infrastructure vulnerabilities in two days is not a pattern any hosting provider’s security posture was designed around.
The Business Exposure
Copy Fail is a local privilege escalation, meaning an attacker needs existing shell access to exploit it. On a dedicated server with a single operator, that limits the scope. On shared hosting infrastructure, VPS nodes, Kubernetes clusters, or CI/CD runners, any tenant with SSH access can use this exploit to gain root on the host kernel. From root, an attacker can read other tenants’ files, databases, and credentials; modify system binaries; install persistent backdoors; or pivot further into internal infrastructure.
For a hosting provider, a successful exploitation of Copy Fail in a multi-tenant environment is a data breach event. Under GDPR, a breach affecting customer data triggers notification obligations within 72 hours. The reputational and contractual exposure from one tenant compromising another’s data is not a technical incident — it is a business-level event.
The timing compounds the pressure. Providers who are still completing remediation from the cPanel incident are now managing a second critical vulnerability affecting different layers of the same infrastructure stack. The combination tests whether security operations teams are resourced and structured to handle parallel, unrelated critical incidents.
What Copy Fail Is
The vulnerability is a logic bug in the authencesn cryptographic template, chained through the AF_ALG kernel crypto API socket and the splice() system call. The chain produces a 4-byte write into the page cache of a setuid binary, which is sufficient for full privilege escalation. NVD rates it CVSS 7.8 HIGH. Theori, the security research firm that discovered it, describes it as “a straight-line logic flaw” with no race condition, no timing dependency, and no precondition beyond a local unprivileged account.
Affected distributions include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, Rocky Linux, and others built on kernels from 2017 through the patch date. Theori discovered the flaw using Xint Code, their AI-assisted security scanning tool, making this one of the first high-severity Linux kernel CVEs attributed to AI-assisted discovery. The vulnerability was reported March 23, patched in mainline on April 1, and publicly disclosed April 29.
Patching and Mitigation
The fix is a kernel update. Patched versions are available from all major distributions. Official advisories are live from Red Hat, Ubuntu, Debian (DSA-6238-1), SUSE, and Amazon Linux. If your systems are not yet updated, update now.
If an immediate kernel update is not possible, the interim step is to disable the vulnerable algif_aead module. How you do this depends on your distribution family:
On Debian, Ubuntu, and most non-RHEL distributions, the standard modprobe blacklist approach works. On RHEL-family systems including CloudLinux and AlmaLinux, it does not, because the module is compiled directly into the kernel rather than loaded separately. Those systems require a grubby command instead:
sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
sudo rebootFor Kubernetes and containerized workloads, blocking AF_ALG socket creation via seccomp is an effective interim control. OVHcloud has published a DaemonSet YAML for cluster-wide deployment.
CloudLinux operators: KernelCare livepatches are rolling out, which means patching without a reboot is available. CL9 and CL10 patched kernels are in AlmaLinux testing repositories. CL7h and CL8 are in beta testing. CloudLinux 7 is not affected.
The Question for Leadership
Two critical vulnerabilities in two days, affecting control panel software and the underlying kernel respectively, raise a question that goes beyond patch management: how quickly can your organization detect, triage, and remediate critical vulnerabilities across your full infrastructure fleet? The cPanel incident had a 2-3 hour window between public advisory and patch. Copy Fail has been public since April 29 with a working exploit in the open.
The answer to that question is determined by team structure, tooling, and process long before any specific CVE appears. For providers who found the past week difficult to manage, that is the more durable problem to address.
Łukasz Nowak
Nearly two decades in IT. A decade in web hosting - and still in the trenches. Writing about the infrastructure that runs the internet from the inside.
Sources
- Copy Fail - CVE-2026-31431 Official Disclosure
- Copy Fail: Technical Writeup - Theori / Xint.io (discoverer)
- CVE-2026-31431 - NVD / NIST National Vulnerability Database
- CVE-2026-31431 Copy Fail: Mitigation and Patches - CloudLinux Blog
- Linux Cryptographic Code Flaw - The Register
- Copy Fail FAQ - Tenable
- Copy Fail: How to Protect OVHcloud MKS Clusters - OVHcloud Blog
- CVE-2026-31431 - Ubuntu Security
- CVE-2026-31431 - Red Hat Security
- CVE-2026-31431 - Debian Security Tracker