CVE-2026-31431 Mitigation for Managed OpenShift (Zero-Reboot BPF LSM DaemonSet)

Solution Verified - Updated

Environment

  • Red Hat OpenShift Service on AWS (ROSA Classic)
    • 4
  • Red Hat OpenShift on AWS with Hosted Control Plane (ROSA HCP)
    • 4
  • Azure Red Hat OpenShift (ARO)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4

Issue

All OpenShift clusters are confirmed to be affected by CVE-2026-31431 ("Copy Fail"), which has been classified as an important vulnerability.

Red Hat is developing a fix for the CVE that will be released in z-streams for OpenShift 4.16, 4.18, 4.19, 4.20, and 4.21. Until the fix is released, a mitigation can be applied to the cluster to disable the affected component.

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Red Hat has released OpenShift updates that include patched kernels. The following versions contain the fix:

OpenShift releaseFixed versionErrata
4.214.21.14RHSA-2026:13811
4.204.20.21RHSA-2026:13862
4.194.19.30RHSA-2026:13690
4.184.18.40RHSA-2026:13727
4.164.16.61RHSA-2026:13729

NOTES:

  • The recommendation is to upgrade any affected cluster to an OpenShift release that includes the fix (see version list above).
  • For clusters that cannot be immediately upgraded, a mitigation is available as detailed below

Overview

Note: for self-managed OpenShift, please refer to how to mitigate the Copy Fail CVE-2026-31431 in OpenShift 4.

This article provides a zero-reboot, BPF LSM (Linux Security Module) based mitigation for CVE-2026-31431 ("Copy Fail"), a privilege escalation vulnerability in the Linux kernel's algif_aead cryptographic interface for managed OpenShift clusters.

The mitigation is deployed as a privileged OpenShift DaemonSet that installs a BPF LSM program on every node. This program hooks the socket_bind operation and blocks all AF_ALG AEAD (Authenticated Encryption with Associated Data) binds, including nested templates, effectively neutralizing the exploit vector. Other AF_ALG functionality (hash, skcipher) remains unaffected.

Key benefit: Protection is applied immediately to all processes on all nodes without requiring any node reboots, node drains, or application restarts.

The BPF LSM blocker DaemonSet can be deployed by the steps outlined in this article and is supported on OpenShift versions 4.16 and later.

Note: This mitigation can be deployed on x86_64 (Intel and AMD) nodes without rebooting the node which may be desirable to avoid workload disruption. However the DaemonSet cannot be assured to be deployed prior to vulnerable workloads during reboots or node scaleup, it may also be evicted per cluster configuration. You should closely monitor DaemonSet health to ensure ongoing protection. This mitigation currently does not apply to ARM64, ppc64le, or s390x nodes.

Mitigation Steps

The BPF LSM approach hooks socket_bind at the kernel level and blocks all AF_ALG AEAD binds regardless of template nesting. It is based on Content from github.com is not included.block-copyfail, rewritten in C with libbpf for OpenShift deployment.

The BPF LSM blocker DaemonSet can be deployed by following the steps outlined here and is supported on OpenShift versions 4.16 and later.

Note: The mitigation does not apply to ROSA HCP clusters with zero egress enabled

Step 1: Download the daemonset.yaml manifest file on your local machine from GitHub and apply it. This will create the necessary resources (Namespace, SCC, DaemonSet) to run the mitigation workload.

Note: To ensure a DaemonSet runs on all OpenShift nodes, you must configure appropriate tolerations to match any taints present on your nodes.

git clone https://github.com/openshift/block-copyfail --rev be0405bb6521eaf226663652f1f6254c11931bc8
cd block-copyfail
oc apply -f daemonset.yaml

Step 2: Verify Pod Deployment
Wait for the DaemonSet pods to enter the Running state on all scheduled node

oc get pods -n cve-2026-31431-mitigation-ebpf -o wide

Expected Output: One pod per node, all showing Running.

NAME                   READY   STATUS    AGE   NODE
block-copyfail-2jhzf   1/1     Running   34s   ci-...-master-2
block-copyfail-4dfq7   1/1     Running   34s   ci-...-master-1
block-copyfail-c2ts8   1/1     Running   34s   ci-...-worker-c
block-copyfail-ctblk   1/1     Running   34s   ci-...-worker-a
block-copyfail-m26sx   1/1     Running   34s   ci-...-worker-b
block-copyfail-xsh6d   1/1     Running   34s   ci-...-master-0

Step 3: Verify Blocker is Active
Check the logs of any running pod to confirm the BPF LSM program is loaded and active.

oc logs -n cve-2026-31431-mitigation-ebpf -l app=block-copyfail

Expected output

block-copyfail: blocker active — all AF_ALG AEAD binds blocked

The mitigation is now active cluster-wide.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.