We have observed that the GitHub Actions runners are still using Ubuntu 24, which is known to be vulnerable to the recently disclosed CVE-2026-31431 ("Copy Fail") vulnerability.
As we are using the latest version of the runners, we are concerned about the potential security risks associated with this issue. Could you please clarify:
-
Are there any mitigations already in place for this vulnerability on the current runner images?
-
If not, what steps are being taken to address this vulnerability, and is there an expected timeline for a patched version of the runner images?
-
Are there any steps we can take to mitigate the risk partially or fully ourselves?
Thank you in advance for your time.
Runner Version and Platform
ARC Version 0.14.1
ARC Scaleset version 0.14.1
actions runner image version 2.334.0
OS of the machine running the runner? OSX/Windows/Linux/...
Ubuntu 24
We have observed that the GitHub Actions runners are still using Ubuntu 24, which is known to be vulnerable to the recently disclosed CVE-2026-31431 ("Copy Fail") vulnerability.
As we are using the latest version of the runners, we are concerned about the potential security risks associated with this issue. Could you please clarify:
Are there any mitigations already in place for this vulnerability on the current runner images?
If not, what steps are being taken to address this vulnerability, and is there an expected timeline for a patched version of the runner images?
Are there any steps we can take to mitigate the risk partially or fully ourselves?
Thank you in advance for your time.
Runner Version and Platform
ARC Version 0.14.1
ARC Scaleset version 0.14.1
actions runner image version 2.334.0
OS of the machine running the runner? OSX/Windows/Linux/...
Ubuntu 24