Mitigating 'Copy Fail' Vulnerability (CVE-2026-31431) using Advanced Cluster Management Governance Policy
Environment
- Red Hat Advanced Cluster Management for Kubernetes (RHACM)
- 2.11+
- Red Hat OpenShift Container Platform (RHOCP)
- 4
Issue
This article outlines two mitigation strategies for the "Copy Fail" vulnerability (CVE-2026-31431, referenced in This content is not included.RHSB-2026-02 and Red Hat Knowledgebase article 7141931) using a Governance Policy within Red Hat Advanced Cluster Management for Kubernetes (ACM). Below two options are provided to block access to the vulnerable kernel functions can be blocked either through a kernel argument or via a DaemonSet which deploys a small eBPF program blocking access. For more details on mitigations for OpenShift refer to the solution How to Mitigate issue mentioned in CVE-2026-31431 in OpenShift 4.
Resolution
A key aspect of the "Copy Fail" vulnerability is the availability of the AF_ALG socket to unpriviliged users. Below two options are provided to block access to the vulnerable kernel functions. By using an ACM governance policy, we can automatically apply either option to the managed fleet of OpenShift clusters.
Prerequisites
Red Hat Advanced Cluster Management for Kubernetes (ACM) must be installed and managing the target cluster(s).
The target clusters must be OpenShift 4.x clusters supported by ACM.
Solution 1
The following is a sample ACM Governance Policy that defines an eBPF program allowing mitigations to be deployed on AMD64 nodes without rebooting the node which may be desirable to avoid workload disruption. However the DaemonSet cannot be assured to be deployed prior to vulnerable workloads during reboots or node scaleup, it may also be evicted per cluster configuration. You should closely monitor DaemonSet health to ensure ongoing protection. This option does not currently deploy on ARM64, ppc64le, or s390x nodes.
```
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-prevent-copy-fail-cve-ds
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: SI System and Information Integrity
policy.open-cluster-management.io/controls: SI-5 Security Alerts Advisories and Directives
policy.open-cluster-management.io/description: This policy deploys a mitigation
for CVE-2026-31431 which runs a BPF LSM DaemonSet that blocks all AF_ALG AEAD binds
on the cluster nodes. This update does not require rebooting nodes. The policy
is set to inform by default and can be enforced when you are prepared to apply the
DaemonSet to your clusters.
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: prevent-copy-fail-cve-ds
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: cve-2026-31431-mitigation-ebpf
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
annotations:
kubernetes.io/description: Remediating CVE-2026-31431 with an eBPF DaemonSet. This is a temporary workaround until the cluster can be updated to pick up a patched kernel.
- complianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:privileged
namespace: cve-2026-31431-mitigation-ebpf
annotations:
kubernetes.io/description: Remediating CVE-2026-31431 with an eBPF DaemonSet. This is a temporary workaround until the cluster can be updated to pick up a patched kernel.
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: default
namespace: cve-2026-31431-mitigation-ebpf
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cve-2026-31431-mitigation-ebpf
namespace: cve-2026-31431-mitigation-ebpf
labels:
app: block-copyfail
annotations:
kubernetes.io/description: Remediating CVE-2026-31431 with an eBPF DaemonSet. This is a temporary workaround until the cluster can be updated to pick up a patched kernel.
spec:
selector:
matchLabels:
app: block-copyfail
template:
metadata:
labels:
app: block-copyfail
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: NotIn
values:
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
priorityClassName: system-node-critical
tolerations:
- operator: Exists
containers:
- name: blocker
image: registry.redhat.io/openshift4/ose-block-copyfail-rhel9@sha256:2ad45164bed4ef8b8661175ac02e891b8bf2bdcdf69bed3526777b4746c3b46a
securityContext:
privileged: true
volumeMounts:
- name: bpf
mountPath: /sys/fs/bpf
- name: btf
mountPath: /sys/kernel/btf/vmlinux
readOnly: true
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 64Mi
volumes:
- name: bpf
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
- name: btf
hostPath:
path: /sys/kernel/btf/vmlinux
type: File
terminationGracePeriodSeconds: 5
remediationAction: enforce
severity: high
remediationAction: inform
```
Solution 2
The following is a sample ACM Governance Policy that defines a MachineConfig to mitigate the copy fail vulnerability after the policy is enforced. The policy is set to Inform by default, which means it will not apply the MachineConfig until you decide to switch the policy to remediate the vulnerability.
```
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-prevent-copy-fail-cve
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: SI System and Information Integrity
policy.open-cluster-management.io/controls: SI-5 Security Alerts Advisories and Directives
policy.open-cluster-management.io/description: This policy deploys a mitigation
for CVE-2026-31431 by applying an OpenShift MachineConfig that makes an update
to the cluster nodes. This update will cause the nodes to reboot. The policy
is set to inform by default and can be enforced when you are prepared for the
nodes to be restated.
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: prevent-copy-fail-cve
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker # Repeat for 'master' if needed
name: 99-disable-algif-builtin
spec:
kernelArguments:
- initcall_blacklist=algif_aead_init
remediationAction: enforce
severity: high
remediationAction: inform
```
-
Create the Policy YAML
Download the desired policy from one of the above solutions. Save it to a file named copy-fail-mitigation-policy.yaml. -
Apply the Policy
Apply the policy to your ACM Hub Cluster and specify a namespace where you author policies:oc apply -n <namespace> -f copy-fail-mitigation-policy.yamlNavigate to the Advanced Cluster Management web console’s Governance page and select Policies. Select the policy-prevent-copy-fail-cve from the list of policies and select the action to edit the policy.
In the Edit policy wizard, make any adjustments desired and define Placement details that send the policy to your OpenShift managed clusters where mitigation is needed. Refer back to How to Mitigate issue mentioned in CVE-2026-31431 in OpenShift 4 if you need to diagnose whether nodes are impacted and configure your placement selectors to select the clusters where mitigations are needed.After completing the Edit policy wizard, the ACM Policy controller will now push this governance policy to all clusters targeted by the Placement you configured. The policy will initially be NonCompliant because you must decide when you want to apply the remediation. When you are ready to apply the remediation, select the Remediation -> Enforce action on the policy. Attention: For Solution 2, this will cause a reboot of all nodes targeted by the MachineConfig across every cluster targeted by the Placement!
The policy will become compliant once it successfully creates the new resources on the managed clusters. The remediation for both Solutions will report Compliant quickly, although the deployment of the DaemonSet or the nodes applying the MachineConfig do not happen as quickly.
-
Verification
- Navigate to the ACM console and view the "Governance" section.
- Locate the policy named policy-prevent-copy-fail-cve or policy-prevent-copy-fail-cve-ds.
- Ensure the policy is Compliant on the target managed clusters. The compliance state confirms that the correct resources have been applied successfully to the target clusters.
Root Cause
A flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface. An incorrect 'in-place operation' was introduced, where the source and destination data mappings were different. This could lead to unexpected behavior or data integrity issues during cryptographic operations, potentially impacting the reliability of encrypted communications.
Refer to additional resources for the "Copy Fail" vulnerability:
- CVE-2026-31431, referenced in This content is not included.RHSB-2026-02
- Red Hat Knowledgebase article 7141931
Diagnostic Steps
Refer to the OpenShift diagnostic steps provided in the solution How to Mitigate issue mentioned in CVE-2026-31431 in OpenShift 4.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.