Is my RHEL system vulnerable to the Copy Fail (CVE-2026-31431) flaw?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10

Issue

  • Is my RHEL system vulnerable to the Copy Fail (CVE-2026-31431) flaw?

Resolution

Important: The information in this Solution is provided for convenience. Please refer to our CVE page and Security Bulletin for the latest information.

CVE page & Security Bulletin:

Instruction to update

  • Patched version of kernel is now available:
RHEL VersionRHSA IDPatched Kernel Version
RHEL 7 and earlierN/ANot affected, Vulnerable code not present
RHEL 8.8 E4SRHSA-2026:13681kernel-4.18.0-477.139.1.el8_8
RHEL 8RHSA-2026:13577kernel-4.18.0-553.123.1.el8_10
RHEL 9.2 E4SRHSA-2026:13734kernel-5.14.0-284.169.1.el9_2
RHEL 9.4 EUSRHSA-2026:13932kernel-5.14.0-427.124.1.el9_4
RHEL 9.6 EUSRHSA-2026:14339kernel-5.14.0-570.112.1.el9_6
RHEL 9This content is not included.RHSA-2026:19225 kernel-5.14.0-687.5.3.el9_8
RHEL 10.0 EUSRHSA-2026:13887kernel-6.12.0-55.71.1.el10_0
RHEL 10This content is not included.RHSA-2026:19074kernel-6.12.0-211.7.3.el10_2

  1. Apply the latest kernel security updates:

    # dnf update kernel

  2. Revert the mitigation if it was applied

    See below "Reverting the Mitigation".

  3. Reboot the system

    # reboot

See Also:

Mitigation (Legacy)

This section is retained for legacy reason.
We recommend you install the patched kernel instead since this mitigation might have a performance impact for functionality that uses kernel cryptographic functions.
If you have installed the patched kernel, we recommend you reverted the Mitigation.

Mitigation mentioned in CVE-2026-31431 is to add a boot argument in boot loader. See steps below:

  1. Run below command to append the option to kernel command line

    # grubby --update-kernel=ALL --args='initcall_blacklist=algif_aead_init'

  2. On IBM Z only, execute zipl

    # zipl

  3. Reboot the system

    # reboot

  4. Verification: once rebooted, verify the parameter

    # cat /proc/cmdline | grep initcall_blacklist
BOOT_IMAGE=(hd0,gpt2)/vmlinuz<...> initcall_blacklist=algif_aead_init

Reverting the Mitigation

Once the RHSA is available and installed to reverse the mitigation see steps below:

  1. Run below command to remove the option to kernel command line

    # grubby --update-kernel=ALL --remove-args='initcall_blacklist=algif_aead_init'

  2. On IBM Z only, execute zipl

    # zipl

  3. Reboot the system

    # reboot

  4. Verification: once rebooted, verify the parameter has been removed

    # cat /proc/cmdline | grep initcall_blacklist
<... no output ...>

The below solutions are detailed for each environment

EnvironmentSolution
RHELIs my RHEL system vulnerable to the Copy Fail (CVE-2026-31431) flaw?
OCPHow to Mitigate issue mentioned in CVE-2026-31431 in OpenShift 4
AROMitigation for CVE-2026-31431 ("Copy Fail") in Azure Red Hat OpenShift
ROSAMitigation and Remediation for CVE-2026-31431 ("Copy Fail") in ROSA Classic and OpenShift Dedicated

Root Cause

A flaw that allows the kernel to accidentally overwrite its protected memory with temporary data while processing certain encryption tasks. The current mitigation requires reboot to get affected.

See Also:

Diagnostic Steps

  • Check the used kernel version, if the version match the the Patched kernel version for the RHEL release or is newer the system is not affected.

    uname -r
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.