Mitigation and Remediation for CVE-2026-31431 ("Copy Fail") in ROSA Classic and OpenShift Dedicated

Environment

• Red Hat OpenShift Service on AWS (ROSA Classic)
  • 4
• Red Hat OpenShift Dedicated (OSD)
  • 4

Affected Versions and Severity

All Managed OpenShift clusters are confirmed to be affected by CVE-2026-31431 ("Copy Fail"), which has been classified as an important vulnerability.

Red Hat has released OpenShift updates that include patched kernels. The following versions contain the fix:

NOTE:

• You should upgrade your cluster to an OpenShift release that includes the fix (see version list above).
• For clusters that cannot be immediately upgraded, a mitigation is available as detailed below

Mitigation Steps

NOTE: If you are using AEAD (Authenticated Encryption with Associated Data) algorithms in your cluster, then you should not use this fix to patch your clusters.

The mitigation will add a kernel command line argument to disable the algif-aead module. Once this configuration is applied the worker nodes will reboot sequentially.

Note: An alternative mitigation approach is also available that does not require a node reboot. The details of this mitigation approach are available in this Knowledgebase article.

Depending on your specific managed OpenShift environment, please follow the steps below to ensure your clusters are patched and protected:

ROSA Classic and OSD (CCS)

• Control Plane Nodes: The mitigation has been applied by Red Hat.
• Worker and Infrastructure Nodes: Customers will need to apply the mitigation at a time of their choosing.

NOTE: The remediation will initiate a rolling reboot of the worker and infrastructure nodes (one node at a time).

NOTE: The commands provided below are applicable for a standard Linux or Unix-based shell environment (such as bash or zsh).

Prerequisites

The mitigation for worker nodes leverages the Node Tuning Operator to update the MachineConfig of the machinepools.

Confirm that you have the necessary permissions to create a Tuned resource:

oc auth whoami -ojsonpath="{.status.userInfo.groups}"
["cluster-admins","system:authenticated:oauth","system:authenticated"]

The resulting output must include the cluster-admins group.

Procedure

1. Apply the Tuned config

oc apply -f - <<'EOF'
apiVersion: tuned.openshift.io/v1
kind: Tuned
metadata:
  name: disable-algif
  namespace: openshift-cluster-node-tuning-operator
spec:
  profile:
  - data: |
      [main]
      summary=Disable algif_aead via kernel boot parameters
      [bootloader]
      # This tells the NTO to append the blacklist to the kernel cmdline
      cmdline_disable_algif=initcall_blacklist=algif_aead_init
    name: disable-algif-profile
  recommend:
  - machineConfigLabels:
      machineconfiguration.openshift.io/role: worker
    priority: 10
    profile: disable-algif-profile
EOF

Important: this will result in a rolling reboot of all the nodes in the pool.

2. Watch the MachineConfigPool until it finishes rolling out. . Wait for UPDATED=True and DEGRADED=False.

oc wait mcp/worker --for=condition=Updated=True --timeout=30m

Or you can also watch progress interactively:

oc get mcp worker -w

3. Pick a worker node to verify:

WORKER_NODE="$(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{.items[0].metadata.name}')"

Check that the kernel argument is present on the boot command line:

oc debug "node/${WORKER_NODE}" -- chroot /host cat /proc/cmdline | grep -- 'initcall_blacklist'

Example Output:

BOOT_IMAGE=(hd0,gpt1)/ostree/rhcos/vmlinuz-5.14.0-570.60.1.el9_6.x86_64 rhcos.root=crypt_rootfs random.trust_cpu=on console=tty0 console=ttyS0,115200n8 rd.luks.options=discard ostree=/ostree/boot.1/rhcos/0 ignition.platform.id=aws systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 initcall_blacklist=algif_aead_init

Check dmesg for confirmation the initcall was blacklisted:

oc debug "node/${WORKER_NODE}" -- chroot /host dmesg | grep -- 'blacklisted'

Example Output:

[    2.084817] initcall algif_aead_init blacklisted

OSD Classic (non-CCS)

For standard OSD Classic non-CCS environments (infrastructure bundled along with OSD subscriptions), customers may open a support case and reach out to request the remediation of this vulnerability prior to the release of the OpenShift update containing the fix.

Related solutions

The below solutions are detailed for each environment.