We have deployed kernel-level mitigations for the CopyFail vulnerability (CVE-2026-31431) across all Hypernodes.
What is CopyFail?
CopyFail is a Linux kernel local privilege escalation vulnerability disclosed in April 2026. It affects a wide range of Linux distributions – roughly all major kernels since 2017.
The vulnerability sits in the interaction between the kernel’s crypto socket interface (`AF_ALG`) and the `splice()` system call. A logic flaw allows local users to corrupt page cache memory through crypto operations, which can then be leveraged to escalate privileges to root.
Impact on Hypernode
Some Hypernodes were running kernel versions vulnerable to CopyFail. However, the practical risk to our customers was minimal for one key reason: **CopyFail is not remotely exploitable**. An attacker must already have local shell access to the server to use it.
This means CopyFail is not a way *into* your server – it’s a way *up* once someone is already inside.
As Sansec points out in their analysis, the real-world concern is for environments where malware has already established a foothold. In those scenarios, CopyFail acts as a “universal post-compromise escalation primitive” – turning limited access into full root control reliably and quickly.
We have no evidence of CopyFail being exploited on the Hypernode platform.
What we did
We have deployed the recommended mitigations to neutralize the vulnerability:
– Blacklisted the `algif_aead` kernel module: this removes the vulnerable code path from the running kernel
– Restricted `AF_ALG` socket exposure: limits access to the kernel crypto interface
These changes align with guidance from both the original CopyFail disclosure and Sansec’s recommendations for managed hosting environments.
The mitigations have been rolled out automatically across all Hypernodes. Full kernel patches will follow as upstream distributions release updated packages.
Action required
None. The mitigations have been applied automatically. No restart or manual intervention is needed on your part.
If you have questions about this vulnerability or your server’s security posture, contact our support team.