Mitigation and Remediation for CVE-2026-31431 ("Copy Fail") in ROSA Hosted Control Planes

Solution Verified - Updated 8 May 2026

Environment

Red Hat OpenShift on AWS with Hosted Control Plane (ROSA HCP)
- 4.x

Issue

ROSA HCP clusters are confirmed to be affected by CVE-2026-31431 ("Copy Fail"), which has been classified as an important vulnerability.

Resolution

Red Hat has released OpenShift updates that include patched kernels. The following versions contain the fix:

OpenShift release	Fixed version	Errata
4.21	4.21.14	RHSA-2026:13811
4.20	4.20.21	RHSA-2026:13862
4.19	4.19.30	RHSA-2026:13690
4.18	4.18.40	RHSA-2026:13727
4.16	4.16.61	RHSA-2026:13729

NOTE:

You should upgrade your cluster to an OpenShift release that includes the fix (see version list above).
For clusters that cannot be immediately upgraded, a mitigation is available as detailed below

Mitigation Steps

Control Plane Nodes: The mitigation has been applied by Red Hat.
Worker Nodes: Customers will need to apply the mitigation at a time of their choosing.

NOTE: If you are using AEAD (Authenticated Encryption with Associated Data) algorithms in your cluster, then you should not use this fix to patch your clusters.

The mitigation will add a kernel command line argument to disable the algif-aead module. Once this configuration is applied the worker nodes will reboot sequentially.

Note: An alternative mitigation approach is also available that does not require a node reboot. The details of this mitigation approach are available in this Knowledgebase article.

The mitigation for worker nodes leverages the Node Tuning Operator to update the MachineConfig of specified machinepools using the ROSA CLI.

Create the tuning config and apply to each affected node pool

$ cat <<EOF > hcp-cve-tuning.json
{
  "profile": [
    {
      "data": "[main]\nsummary=Disable algif_aead for HCP\n[bootloader]\ncmdline_disable_algif=initcall_blacklist=algif_aead_init\n",
      "name": "disable-algif-profile"
    }
  ],
  "recommend": [
    {
      "priority": 10,
      "profile": "disable-algif-profile"
    }
  ]
}
EOF
$ rosa create tuning-config --cluster=mycluster --name=mitigate-cve --spec-path=hcp-cve-tuning.json
I: Tuning config 'mitigate-cve' has been created on cluster 'mycluster'.
I: To view all tuning configs, run 'rosa list tuning-configs -c mycluster'

$ rosa edit machinepool --cluster=mycluster --tuning-configs=mitigate-cve workers
I: Updated machine pool 'workers' on hosted cluster 'mycluster'

Note: substitute mycluster for the appropriate cluster name.

Important: editing the machinepool will result in a rolling recreation of all the nodes in the pool.

Confirm that the edit succeeded by checking the kernel arguments and/or kernel ring buffer

$ oc debug node/"$WORKER_NODE" -- chroot /host cat /proc/cmdline | grep initcall_blacklist
Starting pod/$WORKER_NODE ...
To use host binaries, run `chroot /host`.
BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos/vmlinuz-5.14.0-570.107.1.el9_6.x86_64 rw ostree=/ostree/boot.0/rhcos/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=1234 rw rootflags=prjquota boot=UUID=4567 initcall_blacklist=algif_aead_init systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all

$ oc debug node/"$WORKER_NODE" -- chroot /host dmesg | grep -i "blacklisted"
Starting pod/$WORKER_NODE ...
To use host binaries, run `chroot /host`.
[    1.697801] initcall algif_aead_init blacklisted

SBR

Shift Hosted

Product(s)

Red Hat OpenShift Service on AWS

Components

Security

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.