Per-distro mitigation scripts for CVE-2026-31431 ("Copy Fail") — a Linux kernel algif_aead local privilege escalation that affects essentially every distro shipped since 2017.
Each script either installs a patched kernel from your distribution's repos (when one is available) or, if not, blacklists the vulnerable algif_aead kernel module so the exploit path is closed until you can reboot onto a fixed kernel.
Pick the script for your distro, audit it, run it as root.
# Ubuntu
sudo bash scripts/ubuntu.sh
# Debian
sudo bash scripts/debian.sh
# RHEL / Rocky / AlmaLinux / CentOS Stream
sudo bash scripts/rhel.sh
# Fedora
sudo bash scripts/fedora.sh
# Arch
sudo bash scripts/arch.sh
# openSUSE Leap / Tumbleweed
sudo bash scripts/opensuse.sh
# Alpine
sudo bash scripts/alpine.sh
# Anything else (Gentoo, NixOS, immutable distros, ...)
sudo bash scripts/universal.shUse --check first if you want a preview that changes nothing.
Per-distro scripts run this algorithm; universal.sh skips steps 4–5.
- Sudo up. Re-execs under
sudoif not already root. - Confirm the distro. Refuses to run on a mismatched host unless
--force. - Read
uname -r. - Already patched? If
PATCHED_KERNEL_VERSIONis recorded for your distro and your running kernel is at or above it, the script removes any leftover mitigation file and exits. - Patch available? Asks your package manager. If a candidate kernel ≥ the patched version is available, prompts you (
--yesto skip) to install it. After install, you reboot manually. - Mitigate. If no patched kernel is available yet (or you declined), writes
/etc/modprobe.d/cve-2026-31431.confwithblacklist algif_aeadandinstall algif_aead /bin/true, then verifies via anAF_ALGsocket-bind probe that the exploit path is closed.
PATCHED_KERNEL_VERSION = PENDING means the maintainers haven't yet recorded a fixed kernel version for that distro. Each row updates via a one-line PR.
| Distro | Kernel package | Patched version | Last checked |
|---|---|---|---|
| Ubuntu (24.04) | linux-image-generic |
PENDING | 2026-05-01 |
| Debian | linux-image-amd64 |
PENDING | 2026-05-01 |
| RHEL / Rocky / Alma | kernel |
PENDING | 2026-05-01 |
| Fedora | kernel |
PENDING | 2026-05-01 |
| Arch | linux |
PENDING | 2026-05-01 |
| openSUSE | kernel-default |
PENDING | 2026-05-01 |
| Alpine | linux-lts |
PENDING | 2026-05-01 |
| Flag | Meaning |
|---|---|
-y, --yes |
Non-interactive; skip the kernel-install prompt. |
--force |
Bypass the distro-mismatch check. |
--check |
Read-only preview; print what would happen, change nothing. |
--undo |
Remove /etc/modprobe.d/cve-2026-31431.conf. Use after a patched kernel is installed. |
-h, --help |
Usage info. |
The scripts run this probe automatically. To check yourself:
python3 - <<'PY'
import socket, errno
try:
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
s.bind(("aead", "authencesn(hmac(sha1),cbc(aes))"))
print("BAD: bind succeeded — host is NOT mitigated")
s.close()
except OSError as e:
print(f"OK: bind blocked, errno={e.errno} ({e.strerror})" if e.errno == errno.ENOENT
else f"INCONCLUSIVE: errno={e.errno}")
PYA mitigated or patched host prints OK: bind blocked, errno=2 ....
After your distro publishes a fixed kernel and you reboot onto it, remove the modprobe blacklist so applications that legitimately use AF_ALG aead can work again:
sudo bash scripts/<your-distro>.sh --undoWhen your distro publishes a fixed kernel:
- Edit one line in
scripts/<distro>.sh— setPATCHED_KERNEL_VERSIONto the fixed package version (in the formatdpkg-query -W/rpm -q VERSION-RELEASE/pacman -Qreturns). - Update the corresponding row in this README's patch-status table.
- Open a PR titled
<distro>: fix shipped in <version>.
Security mitigation tooling. Audit any script you find on the internet before piping it into sudo bash. The maintainers accept no liability under the MIT license.
MIT.