Issues on SR2® Cloud Status

[Resolved] Emergency patching for CVE-2026-48063 affecting WhatsApp channels

Fri, 22 May 2026 08:00:00 +0000

We have performed emergency patching to address a vulnerability, CVE-2026-48063, discovered in an open source component we use to provide WhatsApp functionality. As a result of this it may be necessary to relink your WhatsApp channel if you self-manage your handset. If we fully manage your instance, no action is required as we will test and relink the channel for you.

Due to the critical nature of this issue we have not been able to do this within a pre-scheduled maintenance window.

Instructions for relinking the channel can be found in our online documentation.

As always, if you have any concerns please contact our helpdesk.

New support telephone numbers

Thu, 14 May 2026 09:00:00 +0000

As part of our ongoing efforts to improve the resilience of our operations, we are currently migrating to a new telephony provider. We have taken the decision to move to a new number range with this move to reduce the complexity of the routing of inbound calls that would have occurred with number porting. Our existing phone numbers will be retired at the end of 2026.

For urgent issues requiring support, or if required for accessibility reasons, please use the following phone numbers:

Primary: +44 33 31 127 999
Alternate: +44 7469 477564

Please use the alternate number in the case of disruption to our primary telephony provider. Our telephone is answered between 9am to 5pm UK time when staff are available. Any voicemail left will be logged in our helpdesk, please make sure to leave your contact details in any voicemail message.

If you require the use of a text relay, we are happy for you to use a relay service to contact us. In the UK, use the Relay UK app and dial: 18001 033 31 127 999. Outside the UK, dial +44 151 494 1260 from the Relay UK app or textphone and ask to be connected with our number above.

For most issues, please continue to contact us via our email support channel at contact@sr2.uk optionally using our OpenPGP key.

We will be updating our website and other documentation over the coming weeks.

[Resolved] Nominet planned maintenance

Tue, 12 May 2026 05:00:00 +0000

We will be unable to process registration and modifications of .uk domain names during 05:00-08:00 UTC. All registry production systems will be unavailable. For a full list of services impacted, please see Registrar Resources. We expect service to resume without issue following this window.

Dirty Frag (CVE-2026-43284, CVE-2026-43500)

Fri, 08 May 2026 09:00:00 +0000

Similar to the recent copy.fail incident, another local privilege escalation vulnerability had been discovered in the Linux Kernel. We learned of this via our threat intelligence feeds on the 8th of May.

None of our systems had the affected kernel modules loaded and so exploitation was not possible. To verify this we use Ansible:

    - name: Verify CVE-2026-43284 and CVE-2026-43500 mitigation
      ansible.builtin.command: "lsmod | grep -E '^{{ item }}\\s'"
      loop:
        - esp4
        - esp6
        - rxrpc
      register: module_check
      failed_when: module_check.rc != 1
      changed_when: false
      check_mode: false

Our server systems are patched weekly and so we expect the affected modules to be updated in due course.

As always, if you have any concerns please contact our helpdesk.

WhatsApp Malicious Messages

Fri, 01 May 2026 09:00:00 +0000

A WhatsApp security advisory announced a discovered vulnerability, tracked as CVE-2026-23866, arises from incomplete validation of AI rich response messages that contain Instagram Reels references within WhatsApp.

This vulnerability allows a malicious user to craft a message that triggers the victim’s device to fetch and process media content from an external URL. In some cases, the media content may invoke OS‑controlled custom URL scheme handlers, potentially executing arbitrary code or launching unintended applications. The CVSS score of 4.3 indicates moderate impact and a non‑zero but limited likelihood of exploitation.

We have confirmed via MDM that all Android handsets operated by SR2 Communications have since upgraded to unaffected versions.

If you self-manage your handset for your Link helpdesk’s WhatsApp channel it is your responsibility to follow vendor security advisories and ensure that the handset operating system and applications are secured and regularly patched.

As always, if you have any concerns please contact our helpdesk.

[Resolved] copy.fail (CVE-2026-31431)

Wed, 29 Apr 2026 09:00:00 +0000

We were made aware of CVE-2026-31431 on the afternoon of the 29th April via our threat intelligence feeds and later via a CERT-EU advisory. This affected our systems running Rocky Linux 9 as well as our legacy systems running Debian 13. Patches were not immediately available however migrations could be applied.

Rocky Linux 9

Most of our core systems, including those supporting internal infrastructure and single-sign on, are running Rocky Linux 9. This is based on Red Hat Enterprise Linux 9. Unfortunately, the kernel does not have the algif_aead subsystem compiled as a module and our only option was to prevent the code from initialising via adding kernel arguments at boot time and subsequently rebooting.

grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot

Our Prometheus-based monitoring was able to verify all services returning after reboots.

Debian 13

Some Link Secure Digital Helpdesks hosted on behalf of the Centre for Digital Resilience use our legacy deployment model. For these systems we were able to remove the offending module without requiring a reboot:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

Verification

To ensure that the mitigation was applied across all hosts, we use Ansible:

    - name: Verify CVE-2026-31431 mitigation
      ansible.builtin.command: "lsmod | grep -E '^{{ item }}\\s'"
      loop:
        - algif_aead # copy fail
      register: module_check
      failed_when: module_check.rc != 1
      changed_when: false
      check_mode: false

We do not run any systems where unrelated users have shell access to the host, meaning that this could only have been used as part of a chain of vulnerabilities first involving obtaining remote code execution as a user. For this reason we do not believe any exploitation was possible in our systems.

Further, an analysis of the protections offered by Podman published shortly after by Gabriel Garrido details how our new deployment architecture would further have limited the “blast radius” of this kind of vulnerability should an exploitation have been possible.

In light of this, we will be prioritising a move of the remaining Link helpdesks using the legacy model to our new Rocky Linux 9 model.

As always, if you have any concerns please contact our helpdesk.

Updated .de verification requirements

Tue, 14 Apr 2026 00:00:00 +0000

In order to comply with NIS2, DENIC, the registry for .de, has introduced new registrant verification requirements, effective April 14, 2026.

What’s changing

Risk-based verification can result in domain deletion.

DENIC will begin flagging potentially invalid or suspicious registrant data and require it to be verified.

Here’s how the process will work:

When a registrant’s data is flagged, they will receive an email requesting that they use the link provided to upload the verification documents. If they don’t provide the verification documents within 30 days:

Their domain(s) will be suspended (DNS will stop working).
Their domain(s) will enter a 90-day quarantine period.

During the 90-day quarantine, they can complete verification to lift the suspension and reactivate their domain. If verification is not completed within 90 days, all associated domain names will be permanently deleted.

How to correct inaccurate data

Once a registrant has been flagged for verification, any inaccurate data can be corrected by processing:

an owner change (in cases where the email address must be changed or the registrant name must be substantially modified)
a contact update (in cases where a minor change to the registrant name or other data must be made)

Once the data has been updated, the new data must be verified within the original 30-day period. Failed email verification may trigger risk-based verification.

Starting April 14, 2026, if a registrant fails to complete email verification, it may trigger an expedited risk-based verification process:

The registrant will have 7 days (rather than 30) to provide the requested verification documents.
After 7 days, the domain will be suspended and enter the 90-day quarantine period if verification has not been completed.
At the end of the 90-day quarantine period, all associated domain names will be permanently deleted.

Get support

If you receive an email asking you to verify your details and do not know how to proceed, reach out to our support service by emailing contact@sr2.uk.

WhatsApp Message Send Issue

Wed, 25 Mar 2026 03:00:00 +0000

Resolved: This issue appears to only affect cases where no conversation history exists with the contact the message is sent to. Due to the nature of the helpdesk, messages are only sent to users that have already sent a message to the helpdesk, so we do not believe this issue will affect our users. We encourage you to get in touch if you do see any issues with your WhatsApp channel however we are no longer monitoring this situation closely. (16:15 UTC — Mar 31)

Monitoring: We are not aware of this issue affecting any helpdesk currently however we continue to monitor. A fix has been found by the upstream project and will be rolled out once released formally. (15:00 UTC — Mar 27)

Monitoring: We have been made aware of an issue with the WhatsApp integration that we use where for some accounts, mostly accounts that have been banned and subsequently unbanned, users are noticing errors on message send. A fix is being investigated by the integration developer. Technical details can be followed on GitHub at https://github.com/WhiskeySockets/Baileys/issues/2441. (03:00 UTC — Mar 25)

New Status Page

Tue, 17 Mar 2026 12:00:00 +0000

We have deployed this new status page that will allow us to keep you better informed during incidents and outages.

If you would like to see the old status page with the live monitoring details, this can now be found at https://livestatus.sr2.uk/.

.at Org field now determines registrant type

Thu, 12 Mar 2026 00:00:00 +0000

What’s changing

Effective immediately, the Org field for .at domains is optional. It should be completed only for legal entities, as it determines the registrant type. If data is provided in the Org field, the registrant will automatically be classified as a legal entity. As a result, their contact details will be displayed in the public WHOIS.

When submitting registrant data for a new registration, owner change, or contact update, the Org field must be left blank if the registrant is a private individual.

Get support

If you have a .at registration and do not know how to proceed, reach out to our support service by emailing contact@sr2.uk.

WhatsApp introducing usernames

Mon, 01 Dec 2025 12:00:00 +0000

Update - We have deployed updates to the WhatsApp channel and currently do not expect that there will be issues sending and receiving messages.

– 2026-03-17

Investigating - We’re aware that WhatsApp have begun rolling out a new feature replacing phone numbers with usernames. We are monitoring this rollout and making updates to our integration as it evolves, but we expect there to be minor disruptions to service until the roll out is complete.

– 2025-12-01