Critical Linux kernel bug ("Copy Fail") CVE-2026-31431: Page 2 - Enhance Control Panel

Critical Linux kernel bug ("Copy Fail") CVE-2026-31431

alexavalos

Adam Thank you very much Adam for the mail-in notice. Coming to the forum and reading them has been very helpful. Greetings to all.

samjonsmith

Looks like there are kernel updates available now but I can't verify that they are officially fix the CVE other than by other user comments as ubuntu.com and security.ubuntu.com are under an active DDoS attack (https://status.canonical.com/)

orasimu

And a thank you for me both for Adam's email and the tip from cpfence - multirun is super.!!

adem

Thank you for the email and subject line.

slimx

LiteSpeed Enterprise just sent out an email regarding this:

We want to make you aware of a recently disclosed Linux kernel vulnerability called Copy Fail (CVE-2026-31431), and share steps to ensure your LiteSpeed-powered server is as protected as possible.

WHAT IS COPY FAIL?

Copy Fail is a high-severity Linux kernel vulnerability (CVSS 7.8) disclosed on April 29, 2026 by researchers at Theori and Xint. It affects virtually all major Linux distributions — including RHEL, CloudLinux, Rocky Linux, Ubuntu, and Amazon Linux — running kernels shipped since 2017.

The flaw exists in the kernel's cryptographic subsystem (algif_aead module) and allows an unprivileged local user to corrupt the page cache of any readable setuid binary, escalating their privileges to root. A working public exploit — just 732 bytes of Python — is already available, making this a serious and practical threat wherever unpatched kernels are in use.

HOW DOES THIS RELATE TO LITESPEED?

To be clear: this is not a LiteSpeed vulnerability. LiteSpeed Enterprise is not at fault, and there are no known exploits targeting our software directly. However, in environments where LiteSpeed Enterprise is installed on cPanel servers with CloudLinux + CageFS, the lscgid binary at /usr/local/lsws/bin/ is mounted inside CageFS with setuid permissions and could serve as a target for the Copy Fail exploit.

The good news: the setuid permission on lscgid is no longer functionally required. LiteSpeed now handles suEXEC through the running lscgid process directly, so the suid bit can be safely removed with no impact to your server's operation. We are also working with CloudLinux to further tighten the CageFS mount scope for /usr/local/lsws going forward.

WHAT YOU SHOULD DO

Step 1 – Patch the Copy Fail Vulnerability at the OS Level

For CentOS / RHEL / Rocky Linux / CloudLinux:

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
sudo reboot

Note: This requires a reboot. Please schedule during a maintenance window.

For AlmaLinux:

patch available: https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

For Ubuntu:

apt update
apt install -y kmod

Step 2 – Harden the lscgid Binary (choose one)

Option A — Upgrade to LiteSpeed Enterprise 6.3.5 Build 5 (Recommended)
The upgrade automatically handles the setuid permission removal for you:

/usr/local/lsws/admin/misc/lsup.sh -f -v 6.3.5

Option B — Quick Fix (if not ready to upgrade)
Manually remove the setuid permission now, and upgrade at your next maintenance window:

chmod u-s /usr/local/lsws/bin/lscgid.*

You only need to do one of the above — not both.

We are committed to keeping LiteSpeed-powered servers at the highest standard of security. Please don't hesitate to reach out to our support team if you have any questions or need assistance applying these changes.

Best regards,
LiteSpeed Team

« Previous Page