16

We are running a bunch of containers for a cyber security teaching environment, where students can execute arbitrary commands (unprivileged).

Our system (Ubuntu 24.04.4 LTS) is affected by the recently-published "Copy Fail" vulnerability (CVE-2026-31431).

Unfortunately, updating did not produce any new kernel packages, and we are still stuck with 6.8.0-110:

# uname -a
Linux teaching-host 6.8.0-110-generic #110-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 15:09:20 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux

PoC exploit (makes su not ask for passwords until reboot):

$ cat exploit.py | python3 && su
# id
uid=0(root) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd),988(docker)

How can we harden our system until an official patch package becomes available?

Improve this question
New contributor
janw is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
11
  • 3
    We tested the PoC, and it worked on our system (which is fully patched). I've edited the question. Commented yesterday
  • 2
    Please post the algif_aead disablement as an answer Commented yesterday
  • 2
    @Rinzwind Yes, linux-hwe-6.8 package is in 22.04 release. The 24.04 has 6.8 as base kernel, not as HWE. Commented yesterday
  • 1
    The specific PoC exploit appears to make /bin/su immediately run a shell. It uses setuid to work, so disabling that in fstab or setting NoNewPrivileges will stop the PoC. The PoC didn't escape my Docker container. However, their GitHub said the underlying vulnerability is page cache corruption and running the PoC poisons /bin/su until up to reboot, so the exploit can be modified to target /usr/lib/systemd/systemd-executor, and wait for a systemd.timer to trigger, and this won't be patched by nosuid Commented 23 hours ago
  • 1
    @Paul I edited the question to mention the harm Commented 6 hours ago

1 Answer 1

Reset to default
14

As a temporary mitigation, the Copy Fail website suggests disabling the algif_aead module:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true

We tested that and it prevented the PoC exploit. This mitigation may come with some caveats in very specific configurations (see link), but in our case everything appears to work normally.

Improve this answer
New contributor
janw is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
5
  • 2
    Welcome to Ask Ubuntu! Commented yesterday
  • 1
    If running as a normal user, you get Permission denied on the /etc/modprobe.d/disable-algif.conf creation. Try running the first line with sudo tee, as in echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf, before removing the algif_aead module with rmmod algif_aead 2>/dev/null || true. Commented 19 hours ago
  • ...and I guess I would reactivate after a kernel fix and according update? How would that look like? Cheers. Commented 15 hours ago
  • 1
    @mikuszefski This can be undone by deleting the added file. But leaving it disabled is harmless unless you have a very performance-critical application Commented 15 hours ago
  • @DanielT perfect. A complete post then ;) Cheers. Commented 15 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.