Revert CVE-2026-31431 ("copy fail") mitigations when EL 9 kernel is updated #13303

New issue

Closed

opened 2026-04-30 21:00:16 +00:00 by adamwill · 2 comments

adamwill commented 2026-04-30 21:00:16 +00:00

Member

Copy link

Description of request

To address CVE-2026-31431 (the so-called "copy fail" local root privilege escalation issue) on sensitive hosts running EL 9, we implemented a kernel arg workaround suggested by jforbes:

grubby --update-kernel /boot/vmlinuz-5.14.0-611.49.1.el9_7.x86_64 --args="initcall_blacklist=algif_aead_init"

since there is no fixed kernel available for EL 9 yet. Once there is a fixed kernel available, we should update the affected hosts to it, drop the initcall_blacklist=algif_aead_init workaround, and reboot them, I guess.

Hosts we did this on:

• bastion01
• bastion02
• batcave01
• people01

### Description of request To address CVE-2026-31431 (the so-called "copy fail" local root privilege escalation issue) on sensitive hosts running EL 9, we implemented a kernel arg workaround suggested by jforbes: ``` grubby --update-kernel /boot/vmlinuz-5.14.0-611.49.1.el9_7.x86_64 --args="initcall_blacklist=algif_aead_init" ``` since there is no fixed kernel available for EL 9 yet. Once there *is* a fixed kernel available, we should update the affected hosts to it, drop the `initcall_blacklist=algif_aead_init` workaround, and reboot them, I guess. Hosts we did this on: * bastion01 * bastion02 * batcave01 * people01

smoliicek added the

points

01

Priority

Low

day-to-day

labels 2026-05-04 19:04:01 +00:00

kevin added this to the Sprint ( 2026-05-04 to 2026-05-18 ) project 2026-05-05 22:43:57 +00:00

kevin commented 2026-05-05 22:44:08 +00:00

Owner

Copy link

Applying the cmdline to just that one kernel means it won't apply to the updated one. :)

I just applied updates (including the patched kernel) on all those, so they should be ready to go back to normal after the next reboot.

Applying the cmdline to just that one kernel means it won't apply to the updated one. :) I just applied updates (including the patched kernel) on all those, so they should be ready to go back to normal after the next reboot.

kevin closed this issue 2026-05-05 22:44:08 +00:00

kevin self-assigned this 2026-05-05 22:44:13 +00:00

adamwill commented 2026-05-05 23:48:11 +00:00

Author

Member

Copy link

Ah, nice, I wasn't sure if the args would be inherited by the newly installed kernel.

Ah, nice, I wasn't sure if the args would be inherited by the newly installed kernel.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

announcement

  

anubis

Issues related to anubis

  

authentication

Authentication related issues

  

aws

Issues related to Amazon Web Services

  

backlog

Tasks that will take longer then ~4 hours to do

  

blocked

Issue is blocked

  

bodhi

Issues with Bodhi

  

ci

Continuous Integration

  

cloud

Items in FedoraInfraCloud or COmmunishift

  

communishift

issues/questions about os.edorainfracloud.org ( Community OpenShift)

  

copr

COPR system (run by other team)

  

database

Issues related to databases

  

day-to-day

These are small self contained tasks that are part of normal operations, but are async from sprint planning.

  

dc-move

Items related to datacenter move

  

deprecated

Tools which Infrastructure may not be able to fix

  

dev

Tasks requiring some dev work

  

discourse

outsourced tool

  

dns

Changes or problems with DNS

  

downloads

rsync,dl.fp.o,AWS,torrents

  

easyfix

  

epel

Issues relating to epel

  

firmitas

  

forgejo_migration

Request migration to the new forge

  

Gain

High

task that gets us a lot / is important / makes many people happy

  

Gain

Low

tasks that gets us little / isn't very important / makes only 1 person or few happy

  

Gain

Medium

task that gets us some / is somewhat important / makes some people happy

  

gitlab

  

greenwave

Issues with greenwave

  

hardware

Problem is with Fedora Infrastructure Owned/Leased Hardware

  

help wanted

  

high-trouble

task that is complex/long/difficult

  

koji

Issues with the build system

  

koschei

Items needing Koschei team

  

lists

issues with lists

  

low-trouble

task that is easy/short

  

medium-trouble

task that is medium complex / difficult

  

mirrorlists

Way to tell systems where downloads are

  

monitoring

  

Needs investigation

  

odcs

On Demand Compose Service issues

  

OpenShift

Issues with OpenShift

  

ops

ops problem now...

  

outage

  

packager_workflow_blocker

Blocks the packager workflow

  

pagure

Issues with pagure.io

  

permissions

Items which need permissions set in outside tools

  

Priority

Needs Review

Priority of Needs Review

  

Priority

Next Meeting

Priority of Next Meeting

  

Priority

🔥 URGENT 🔥

Priority of 🔥 URGENT 🔥

  

Priority

Waiting on Assignee

Priority of Waiting on Assignee

  

Priority

Waiting on External

Priority of Waiting on External

  

Priority

Waiting on Reporter

Priority of Waiting on Reporter

  

rabbitmq

issues with the message broker

  

release-monitoring

release-monitoring.org (Anitya)

  

releng

For problems which should be in the releng ticket system

  

request-for-resources

  

s390x

The secondary architecture hardware and problems related with it

  

security

  

SMTP

Email issues outside of lists (DMARC, SPF, aliases)

  

sprint-0

  

sprint-1

  

src.fp.o

Issues related to src.fedoraproject.org

  

staging

Issues in staging

  

unfreeze

Patches to be applied after freeze is lifted

  

waiverdb

Issues with waiverdb

  

websites-general

General items with a website focus

  

wiki

Issues with the Wiki

  

Backlog Status

Needs Review

Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  

Backlog Status

Ready

Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  

chore

Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  

documentation

Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  

points

01

A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  

points

02

This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  

points

03

Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  

points

05

A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  

points

08

Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  

points

13

Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  

Priority

High

This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  

Priority

Low

This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  

Priority

Medium

This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  

Sprint Status

Blocked

Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  

Sprint Status

Done

Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  

Sprint Status

In Progress

Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  

Sprint Status

Review

Work items that are complete but need review, testing, or approval before being marked as done.

  

Sprint Status

To Do

Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  

Technical Debt

Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  

Work Item

Bug

Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  

Work Item

Epic

Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  

Work Item

Spike

Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  

Work Item

Task

Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  

Work Item

User Story

User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels

announcement

anubis

authentication

aws

backlog

blocked

bodhi

ci

cloud

communishift

copr

database

day-to-day

dc-move

deprecated

dev

discourse

dns

downloads

easyfix

epel

firmitas

forgejo_migration

Gain

High

Gain

Low

Gain

Medium

gitlab

greenwave

hardware

help wanted

high-trouble

koji

koschei

lists

low-trouble

medium-trouble

mirrorlists

monitoring

Needs investigation

odcs

OpenShift

ops

outage

packager_workflow_blocker

pagure

permissions

Priority

Needs Review

Priority

Next Meeting

Priority

🔥 URGENT 🔥

Priority

Waiting on Assignee

Priority

Waiting on External

Priority

Waiting on Reporter

rabbitmq

release-monitoring

releng

request-for-resources

s390x

security

SMTP

sprint-0

sprint-1

src.fp.o

staging

unfreeze

waiverdb

websites-general

wiki

Backlog Status

Needs Review

Backlog Status

Ready

chore

documentation

points

01

points

02

points

03

points

05

points

08

points

13

Priority

High

Priority

Low

Priority

Medium

Sprint Status

Blocked

Sprint Status

Done

Sprint Status

In Progress

Sprint Status

Review

Sprint Status

To Do

Technical Debt

Work Item

Bug

Work Item

Epic

Work Item

Spike

Work Item

Task

Work Item

User Story

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Sprint ( 2026-05-04 to 2026-05-18 )

Assignees

Clear assignees

No assignees

kevin

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

infra/tickets#13303

No description provided.