A critical Linux kernel vulnerability, CVE-2026-31431 ("Copy Fail"), was publicly disclosed on April 29, 2026. The vulnerability has been present in the Linux kernel since 2017 and affects all major distributions, including Ubuntu 24.04, 22.04, and 20.04. It allows any local user with shell access to escalate privileges to root without requiring special tools or conditions.

What We Did

We deployed an interim mitigation to all reachable servers via the RunCloud agent. It blocks the vulnerable kernel module from loading and closes the attack surface without requiring a reboot. It has been tested against Nginx, PHP, MySQL, SSH, and SSL with no impact on normal operation.

Servers that were offline, had the agent stopped, or had firewall rules blocking agent communication at the time of deployment were not reached automatically.

Permanent Patch

Ubuntu has not released an official patched kernel at the time of writing. Once available, it will appear as a kernel update in your RunCloud dashboard. After applying the update and rebooting, the interim mitigation can be safely removed. Servers that were automatically patched by RunCloud will have the interim fix cleaned up on our end once the official kernel update is confirmed to have been applied.

Track Ubuntu's release here: https://ubuntu.com/security/CVE-2026-31431

Recommended: Keep Security Updates Turned On

Navigate to your Server Settings and confirm that Enable Security Updates is turned on. While enabled by default, confirm that it is enabled on your servers to ensure critical kernel and security patches are automatically applied.

Full Details & Next Steps

For verification steps and instructions on how to manually apply the interim fix, see our full write-up on our community forum.