Revision ad922f59-e0bf-48a0-b6ff-5ddf71076336

We are running a bunch of containers for a cyber security teaching environment, where students can execute arbitrary commands (unprivileged).

Our system (Ubuntu 24.04.4 LTS) is affected by the recently-published ["Copy Fail"](https://copy.fail/) vulnerability (CVE-2026-31431).

Unfortunately, updating did not produce any new kernel packages, and we are still stuck with 6.8.0-110:
```
# uname -a
Linux teaching-host 6.8.0-110-generic #110-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 15:09:20 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
```
[PoC exploit](https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py) (makes `su` not ask for passwords until reboot):
```
$ cat exploit.py | python3 && su
# id
uid=0(root) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd),988(docker)
```

How can we harden our system until an official patch package becomes available?