CVE-2026-31431 "Copy Fail" — What It Is, How to Check, and How to Fix It

A security vulnerability in the Linux kernel was publicly disclosed on April 29, 2026. It affects most Linux servers running kernels released since 2017, and it allows a local user to gain root access.

The vulnerability is called "Copy Fail" (CVE-2026-31431) and is rated 7.8/10 (High) on the CVSS severity scale. Patches are already available for most distributions.

Here's what you need to know and what to do.

What is Copy Fail?

Copy Fail is a bug in a cryptographic component of the Linux kernel called algif_aead. This component has been part of the kernel since 2017, and the bug allows a local user to modify system files in memory to escalate their privileges to root.

Two important things to note: the vulnerability requires local access to your server — it cannot be exploited remotely over the internet. And it doesn't modify any files on disk, only in memory.

That said, if someone already has a user account on your server (even an unprivileged one), they could use this to become root. That's why it's important to patch.

Am I affected?

Run this command on your server:

bash

uname -r

If your kernel version is 4.13 or higher (which is the case for Ubuntu 18.04+, Debian 10+, CentOS 8+, and all recent distributions), your server is affected unless you've already applied the patch.

How to protect your server right now

Until you can update your kernel, you can disable the vulnerable component. This has no impact on most server workloads — the algif_aead module is used for specific cryptographic operations that typical web servers, databases, and applications don't need.

Run these two commands:

bash

echo -e "blacklist algif_aead\ninstall algif_aead /bin/false" | sudo tee /etc/modprobe.d/cve-2026-31431.conf
sudo rmmod algif_aead 2>/dev/null

That's it. The vulnerable module is now disabled and won't reload on reboot.

Note for RHEL, CentOS, Rocky Linux, and AlmaLinux users: on some enterprise kernels, the module is built into the kernel and can't be unloaded with the command above. In that case, add this to your kernel boot parameters and reboot:

bash

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
sudo reboot

How to patch permanently

The real fix is a kernel update. Your distribution has likely already published (or will publish shortly) a patched kernel.

Ubuntu / Debian:

bash

sudo apt update && sudo apt upgrade -y
sudo reboot

RHEL / CentOS / Rocky / Alma:

bash

sudo dnf update -y
sudo reboot

Amazon Linux:

bash

sudo yum update -y
sudo reboot

After rebooting, verify your kernel was updated:

bash

uname -r

You should see a kernel version dated after April 2026. Once the patched kernel is running, you can remove the temporary workaround:

bash

sudo rm /etc/modprobe.d/cve-2026-31431.conf

What about Docker containers?

If you run Docker, the fix needs to be applied on the host server, not inside the containers. Containers share the host's kernel, so updating the host kernel protects all containers running on it.

What about Dedimax servers?

All Dedimax Cloud, VPS, and Dedicated servers give you full root access, so you can apply the temporary fix and the kernel update yourself using the commands above.

If you need help, our support team is available to assist you.

Summary

1. Check if you're affected: uname -r — kernel 4.13+ means yes
2. Protect now: disable the algif_aead module (2 commands, no reboot needed)
3. Patch permanently: update your kernel and reboot when convenient

The vulnerability is serious but the fix is straightforward. A few commands and a reboot, and you're safe.