www.it-connect.fr
CopyFail on Linux: Are Security Patches Available?
The security flaw CVE-2026-31431, also known as CopyFail, was disclosed on April 29, 2026. This publication appears to have caught the maintainers of various Linux distributions off guard. Where do things stand regarding the release of fixes? Let’s take stock.
As a reminder, this Local Privilege Escalation (LPE) vulnerability, present in the Linux kernel cryptographic subsystem (the algif_aead module) since 2017, allows an unprivileged user to become root. It can be exploited locally, but also remotely if it is combined with another vulnerability present in an application (an out-of-date CMS, a vulnerable plugin, etc.).
It is strongly recommended to protect Linux machines against this vulnerability, but are the patches ready? The situation is improving, even if not all fixes are online yet. Here is a summary.
Table of Contents
Linux kernel versions affected by CopyFail
Linux kernel 7.0 is not vulnerable to the security flaw CopyFail. But, more broadly, it affects many versions, including LTS releases, and therefore many Linux distributions by extension.
The good news is that Linux kernel versions with long-term support (LTS) have already received a fix. Here are the updated versions that include this patch:
- 6.12 LTS series: fixed in version 6.12.85
- 6.6 LTS series: fixed in version 6.6.137
- 6.1 LTS series: fixed in version 6.1.170
- 5.15 LTS series: fixed in version 5.15.204
- 5.10 LTS series: fixed in version 5.10.254
Warning: distributions using end-of-life (EOL) kernels, such as Linux 6.17 or 6.19 (like Ubuntu 25.10, for example), are also vulnerable to this flaw.
CopyFail patches for Linux distributions
This vulnerability affects the Linux kernel, and the problem is that the version used varies from one distribution to another. I would even say from one distribution release to another. As a result, maintainers must backport the security fix to the Linux kernel used by their distribution, without neglecting testing phases, especially. This is all the more true because the security fix was initially pushed in a Release Candidate version of Linux kernel 7.0 (still very little used).
The table below may change at any time, but here is the current status as of Tuesday, May 5, 2026.
| Distribution | Affected versions | Patch available? | Patched version / Solution | Link |
| Debian | Bullseye (11), Bookworm (12), Trixie (13), Sid | Yes | 5.10.251-3 (Bullseye),6.1.170-1 (Bookworm),6.12.85-1 (Trixie),7.0.3-1 (Sid). | Debian Security Tracker |
| Ubuntu | All versions before 26.04 (Resolute) | Yes (kmod mitigation + kernel in progress) | The kernel fix is being rolled out.An update to the kmod package has been pushed to disable the vulnerable module. | Ubuntu Security Blog |
| AlmaLinux | AlmaLinux 8, 9 and 10 | Yes | 4.18.0-553.121.1.el8_10 (v8),5.14.0-611.49.2.el9_7 (v9),6.12.0-124.52.2.el10_1 (v10). | AlmaLinux Blog |
| Fedora | Fedora 42/43 | Yes | Updated to kernels: 6.18.22+, 6.19.12+ and 7.0+. | Fedora Discussion |
| Arch Linux | Rolling Release / LTS | Yes | Kernel 6.19.12-1 and LTS 6.18.26-1. | Arch Linux Security |
| Red Hat (RHEL), CentOS, Rocky Linux | RHEL 8, 9, 10 and derivatives. | Yes, for some versions. | RHEL patch 10 released on May 5, 2026, RHEL patch 9 released on May 4, 2026, For other versions, fixes are pending.In the meantime, Red Hat and Rocky Linux recommend adding this boot argument: initcall_blacklist=algif_aead_init. | Red Hat CVE / Rocky Forum |
CopyFail patches for NAS systems
The situation on NAS devices is more mixed because it depends on the hardware architecture and the Linux kernel integrated by the vendor. Here is some initial information on this subject for QNAP, Synology and ASUSTOR.
| Manufacturer | System / Versions | Patch available? | Status / Mitigation version | Link to official resource |
| QNAP | QTS | No | Only ARM64 models running QTS are vulnerable, especially those with Linux kernel 5.10. | QNAP Security Advisory |
| Synology | DSM is not affected by this vulnerability. | - | - | - |
| ASUSTOR | ADM | Pending, no information found on the web. | - | - |
Installing the CopyFail patch on Debian 13
Finally, let’s look at how to install the CopyFail patch on a Debian 13 machine. Note that installing the security fix requires a reboot (since the change affects the kernel).
You must update the package cache and apply upgrades:
sudo apt update && sudo apt upgradeThis will install the latest available updates. In the case of Debian 13, the patched version is: 6.12.85-1. To find out the Linux kernel version currently loaded on your machine, run this command:
uname -r
6.12.74+deb13+1-cloud-amd64Here, we can see: 6.12.74. This is not the expected version. However, it may simply be a pending reboot... You can check with this command:
dpkg -l | grep linux-image
ii linux-image-6.12.74+deb13+1-cloud-amd64 6.12.74-2 amd64 Linux 6.12 for x86-64 cloud (signed)
ii linux-image-6.12.85+deb13-cloud-amd64 6.12.85-1 amd64 Linux 6.12 for x86-64 cloud (signed)
ii linux-image-cloud-amd64 6.12.85-1 amd64 Linux for x86-64 cloud (meta-package)There are indeed two lines referring to the expected version: 6.12.85-1. The ii status at the beginning of the line means the version has been installed and configured, but the reboot is still missing. Reboot and then check the kernel version. It should be better!
sudo reboot
uname -r
6.12.85+deb13-cloud-amd64There you have it: you now have the patch for the CopyFail security flaw on your Debian machine.
If you want to add extra information for a specific OS or product, feel free to comment on this article.
