← Go back to SR2® Cloud Status

copy.fail (CVE-2026-31431)

April 29, 2026 at 9:00 AM UTC

API Single-Sign On Virtual Servers Link Helpdesks

Resolved after 2d 3h 0m May 1, 2026 at 12:00 PM UTC

We were made aware of CVE-2026-31431 on the afternoon of the 29th April via our threat intelligence feeds and later via a CERT-EU advisory. This affected our systems running Rocky Linux 9 as well as our legacy systems running Debian 13. Patches were not immediately available however migrations could be applied.

Rocky Linux 9

Most of our core systems, including those supporting internal infrastructure and single-sign on, are running Rocky Linux 9. This is based on Red Hat Enterprise Linux 9. Unfortunately, the kernel does not have the algif_aead subsystem compiled as a module and our only option was to prevent the code from initialising via adding kernel arguments at boot time and subsequently rebooting.

grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot

Our Prometheus-based monitoring was able to verify all services returning after reboots.

Debian 13

Some Link Secure Digital Helpdesks hosted on behalf of the Centre for Digital Resilience use our legacy deployment model. For these systems we were able to remove the offending module without requiring a reboot:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

Verification

To ensure that the mitigation was applied across all hosts, we use Ansible:

    - name: Verify CVE-2026-31431 mitigation
      ansible.builtin.command: "lsmod | grep -E '^{{ item }}\\s'"
      loop:
        - algif_aead # copy fail
      register: module_check
      failed_when: module_check.rc != 1
      changed_when: false
      check_mode: false

We do not run any systems where unrelated users have shell access to the host, meaning that this could only have been used as part of a chain of vulnerabilities first involving obtaining remote code execution as a user. For this reason we do not believe any exploitation was possible in our systems.

Further, an analysis of the protections offered by Podman published shortly after by Gabriel Garrido details how our new deployment architecture would further have limited the “blast radius” of this kind of vulnerability should an exploitation have been possible.

In light of this, we will be prioritising a move of the remaining Link helpdesks using the legacy model to our new Rocky Linux 9 model.

As always, if you have any concerns please contact our helpdesk.

Last updated: May 22, 2026 at 11:02 AM UTC

© SR2® Cloud Status, 2026   •   Back to top

We continuously monitor the status of our services and if there are any interruptions, a note will be posted here.

Powered by cState

⚡ Subscribe via RSS — to all updates