Situation
A vulnerability CVE-2026-31431 affecting Linux Kernels has been discovered within the algif_aead optimization added in 2017. This is not tied to a specific distribution and affects most major distributions. This affects the underlying operating system kernel, not cPanel itself.
Impact
For Kernels since 2017 (starting around version 4.14) that contain an optimization for the AF_ALG crypto API. It is possible for a local user to obtain root-level access to a Linux server by modifying the page cache that the kernel reads when loading a binary. This is a logical bug that allows users to gain unauthorized root access to a Linux server without relying on a race condition.
Call to Action
For servers with KernelCare
If KernelCare is installed, you can patch the running kernel without a reboot. Run the following command to apply the latest livepatch:
CONFIG_TEXT: kcarectl --update
Then verify that CVE-2026-31431 is covered by the applied patch:
CONFIG_TEXT: kcarectl --patch-info | grep CVE-2026-31431
If both of the following are true, this indicates that KernelCare does not currently cover CVE-2026-31431 for the running kernel:
- kcarectl --update returns: There are no updates for this kernel yet
- kcarectl --patch-info | grep CVE-2026-31431 produces no output
In this case, proceed to the OS-specific instructions below.
For servers without KernelCare
Patched in kernel-4.18.0-553.121.1.lve.el7h.x86_64 and above
The patch is currently released to the CloudLinux testing repository. The below command will enable the repository to update the kernel
CONFIG_TEXT: yum clean all && yum --enablerepo=cl7h_beta update 'kernel*'
Patched in kernel-4.18.0-553.121.1.lve.el8.x86_64 and above
The patch is currently released to the CloudLinux testing repository. The below command will enable the repository to update the kernel
CONFIG_TEXT: yum clean all && yum --enablerepo=cloudlinux-updates-testing update 'kernel*'
Patched in kernel-4.18.0-553.121.1.el8_10 and above
A DNF update should download and install the new kernel
CONFIG_TEXT: dnf clean metadata && dnf update kernel
Patched in kernel-5.14.0-611.49.2.el9_7 and above
A DNF update should download and install the new kernel
CONFIG_TEXT: dnf clean metadata && dnf update kernel
Patch in kernel-6.12.0-124.52.2.el10_1 and above
A DNF update should download and install the new kernel
CONFIG_TEXT: dnf clean metadata && dnf update kernel
Vulnerability to this will depend on the kernel and distribution, however this should be patched in all Ubuntu versions at this time. Please see the article below for this:
https://ubuntu.com/security/CVE-2026-31431
Updating to the latest kernel should address this for all ubuntu versions:
CONFIG_TEXT: apt update && apt upgrade
After the kernel update, reboot the server to ensure the new kernel is loaded.
CONFIG_TEXT: reboot
After a reboot, verify the kernel is updated to the versions from the list above.
CONFIG_TEXT: uname -r
If you are unable to update due to a patch not being available, we recommend performing the following steps to mitigate this. This will ensure the module is not loaded by the kernel on boot:
Add the module to the blacklist using grubby as below:
CONFIG_TEXT: grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
Then reboot the server so the module is loaded
CONFIG_TEXT: sudo reboot
Removing the patch would be done with a remove-args command with grubby:
CONFIG_TEXT: grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
then another reboot so the new arguments are loaded:
CONFIG_TEXT: sudo reboot
Comments
0 comments
Article is closed for comments.