Security Advisory: CVE-2026-31431 (Copy Fail)

30Apr 2026Posted by: mstauberCategory: General

Hotfix Mitigation Applied on BlueOnyx Servers

Affected: All BlueOnyx installations running on AlmaLinux 8, 9, and 10 (with unpatched kernels):

  • BlueOnyx 5210R
  • BlueOnyx 5211R
  • BlueOnyx 5212R

What is CVE-2026-31431?

CVE-2026-31431, nicknamed "Copy Fail", is a logic flaw in the Linux kernel’s algif_aead module (part of the AF_ALG cryptographic socket interface). It has existed in kernels since approximately 2017.

The vulnerability stems from an optimization that attempted “in-place” cryptographic operations in the AEAD (Authenticated Encryption with Associated Data) interface. Because the source and destination buffers come from different memory mappings, this optimization introduced unsafe behavior. An unprivileged local user can exploit it to corrupt kernel memory and achieve full root privilege escalation.

  • Severity: High (CVSS 7.8) — trivial local root exploit.
  • Exploit availability: Public proof-of-concept exists.
  • Impact on BlueOnyx: Any customer or process with shell access (or via a compromised web application) could potentially escalate to root, compromising the entire server.

This affects virtually all major Linux distributions, including AlmaLinux, until the official kernel patch is backported and installed.

Our Immediate Action – Hotfix Applied

Since patched kernels are not yet available in the AlmaLinux repositories, we have taken proactive steps:

We have released an updated "swatch" RPM for BlueOnyx 5210R, 5211R, and 5212R. This updated RPM contains the script /usr/sausalito/sbin/hotfixes.sh, which automatically applies the mitigation upon installation.

The mitigation disables the vulnerable algif_aead kernel module by creating /etc/modprobe.d/disable-algif.conf with the line:

install algif_aead /bin/false

This prevents the module from loading and immediately unloads it if it was already active.

Additionally, every subsequent run of BlueOnyx’s Active Monitor now checks that the fix remains in place and re-applies it if necessary. This ensures continuous protection even if the configuration is altered.

This mitigation is safe and has negligible performance impact for the vast majority of web hosting workloads. Very few applications on BlueOnyx servers use the AF_ALG AEAD interface directly.

What This Means for You

  • Your BlueOnyx server is now protected against this specific CVE as soon as the updated swatch RPM is installed.
  • No downtime was required.
  • The fix is fully reversible once AlmaLinux releases the official kernel update (we will notify you and remove the hotfix automatically where possible).
  • Normal operations (web, mail, FTP, databases, etc.) are unaffected.

Next Steps & Timeline

  1. Update your system to receive the latest swatch RPM: 
    dnf clean all && dnf update -y
  2. We continue monitoring AlmaLinux errata and will roll out the official kernel update as soon as it becomes available.
  3. Once the patched kernel is installed and verified, we will clean up the temporary mitigation.

Questions?

If you have any concerns or run custom software that might rely on AF_ALG AEAD (rare), please open a support ticket and we will assist you personally.

We take the security of your BlueOnyx hosting environment very seriously and act quickly on emerging threats like this one.

— The BlueOnyx Team

Apr 30, 2026 Category: General Posted by: mstauber
← Return