How do I fix CVE-2026-31431 on Ubuntu 24.04 LTS?

As a temporary mitigation, the Copy Fail website suggests disabling the algif_aead module:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true

We tested that and it prevented the PoC exploit. This mitigation may come with some caveats in very specific configurations (see link), but in our case everything appears to work normally.

While the website may be down, the security email list continues to work apparently and they have emailed about a mitigation there in an email from 30.04.2026 18:06 CET.

The issue should be mitigated for now thanks to USN-8226-1 and USN-8226-2. It more or less applies the same mitigations suggested by the researchers, but right in kmod and through an update, the upside being that the kernel module will probably be reactivated when the issue has been fully patched, without any manual intervention besides needing to apply updates.

The description of this USN reads:

kmod has been updated to block loading of the algif_aead kernel module.

It suggest the following updates:

Ubuntu 25.10 kmod 34.2-2ubuntu1.1

Ubuntu 24.04 LTS kmod
31+20240202-2ubuntu7.2

Ubuntu 22.04 LTS kmod 29-1ubuntu1.1

Ubuntu 20.04 LTS kmod 27-1ubuntu2.1+esm1 Available with Ubuntu Pro

Ubuntu 18.04 LTS kmod 24-1ubuntu3.5+esm1 Available with Ubuntu Pro

Ubuntu 16.04 LTS kmod 22-1ubuntu5.2+esm1 Available with Ubuntu Pro

Ubuntu 14.04 LTS kmod 15-0ubuntu7+esm1 Available with Ubuntu Pro

This mitigation can be applied using:

sudo apt update && sudo apt install --only-upgrade kmod
sudo rmmod algif_aead

The mitigation works effectively and without a reboot (given that the module wasn't loaded at all or rmmod was used like suggested above), though a reboot is probably recommended:

wget https://github.com/theori-io/copy-fail-CVE-2026-31431/raw/main/copy_fail_exp.py -O /tmp/copy_fail_exp.py
python3 /tmp/copy_fail_exp.py

Result:

Traceback (most recent call last):                                             
  File "/tmp/copy_fail_exp.py", line 9, in <module>                            
    while i<len(e):c(f,i,e[i:i+4]);i+=4                                        
                   ^^^^^^^^^^^^^^^                                             
  File "/tmp/copy_fail_exp.py", line 5, in c                                   
    a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=2
79;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accep
t();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\
x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno()
,o)                                                                            
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^    
FileNotFoundError: [Errno 2] No such file or directory

It looks like binding to an aead socket was successfully prevented.

They link the following blog and notices (may be not reachable now, but for future reference):

• https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
• https://ubuntu.com/security/notices/USN-8226-1
• https://ubuntu.com/security/notices/USN-8226-2

Kernel patches will probably become available in the near future as well, but due to the current state of the websites it is rather hard to get up-to-date information and I've yet to receive an email about it.