We are running a bunch of containers for a cyber security teaching environment, where students can execute arbitrary commands (unprivileged).

Our system (Ubuntu 24.04.4 LTS) is affected by the recently-published "Copy Fail" vulnerability (CVE-2026-31431).

Unfortunately, updating did not produce any new kernel packages, and we are still stuck with 6.8.0-110:

# uname -a
Linux teaching-host 6.8.0-110-generic #110-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 15:09:20 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux

PoC exploit (makes su not ask for passwords until reboot):

$ cat exploit.py | python3 && su
# id
uid=0(root) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd),988(docker)

How can we harden our system until an official patch package becomes available?