{"id":9075,"date":"2026-05-03T08:49:36","date_gmt":"2026-05-03T03:19:36","guid":{"rendered":"https:\/\/www.veeble.com\/kb\/?p=9075"},"modified":"2026-05-03T09:05:14","modified_gmt":"2026-05-03T03:35:14","slug":"cve-2026-41940-cve-2026-31431-two-critical-vulnerabilities-affecting-linux-servers-fix-now","status":"publish","type":"post","link":"https:\/\/www.veeble.com\/kb\/cve-2026-41940-cve-2026-31431-two-critical-vulnerabilities-affecting-linux-servers-fix-now\/","title":{"rendered":"CVE-2026-41940 & CVE-2026-31431: Two Critical Vulnerabilities Affecting Linux Servers – Fix Now"},"content":{"rendered":"\n

Two critical security vulnerabilities were publicly disclosed in late April 2026 that affect a large portion of Linux-based servers, including cPanel\/WHM installations and any Linux server running a kernel version from 4.14 onward. Both require immediate action.<\/p>\n\n\n\n

This article covers what each vulnerability does, which systems are affected, and the exact steps to patch or mitigate each one.<\/p>\n\n\n\n

\n\n\n

CVE-2026-41940 \u2014 cPanel & WHM Authentication Bypass<\/h2>\n\n

What This Vulnerability Does<\/h3>\n\n\n

CVE-2026-41940 is an authentication bypass flaw in cPanel software, including DNSOnly. It affects all cPanel versions after 11.40. A remote attacker can exploit this to authenticate to cPanel, WHM, or Webmail interfaces without valid credentials, gaining full or partial access to hosted accounts and server administration panels.<\/p>\n\n\n\n

Patches have been released. If your server is running cPanel, treat this as a P1 incident and update immediately.<\/p>\n\n\n

Affected Versions<\/h3>\n\n\n

All cPanel & WHM versions from 11.40 onward are vulnerable. The following builds include the patch:<\/p>\n\n\n\n

cPanel Tier<\/th>Patched Version<\/th><\/tr><\/thead>
11.86<\/td>11.86.0.41<\/td><\/tr>
11.110<\/td>11.110.0.97<\/td><\/tr>
11.118<\/td>11.118.0.63<\/td><\/tr>
11.124<\/td>11.124.0.35<\/td><\/tr>
11.126<\/td>11.126.0.54<\/td><\/tr>
11.130<\/td>11.130.0.19<\/td><\/tr>
11.132<\/td>11.132.0.29<\/td><\/tr>
11.134<\/td>11.134.0.20<\/td><\/tr>
11.136<\/td>11.136.0.5<\/td><\/tr>
WP Squared<\/td>136.1.7<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

If you are on CentOS 6 or CloudLinux 6 running v110.0.50<\/strong>, a direct upgrade path to v110.0.103 is available (see Step 1 below).<\/p>\n\n\n\n

\n\n\n

How to Patch CVE-2026-41940<\/h3>\n\n\n

Step 1 \u2014 (CentOS 6 \/ CloudLinux 6 on v110 only)<\/strong> Set the upgrade tier before running the update:<\/p>\n\n\n\n

whmapi1 set_tier tier=11.110.0.103<\/code><\/pre>\n\n\n\n
For CentOS 7 or CloudLinux 7 servers that need to pin to 11.110:<\/p>\n\n\n\n
whmapi1 set_tier tier=11.110<\/code><\/pre>\n\n\n\n
Step 2 \u2014 Run the forced cPanel update:<\/strong><\/p>\n\n\n\n
\/scripts\/upcp --force<\/code><\/pre>\n\n\n\n
Step 3 \u2014 Confirm the build version after the update completes:<\/strong><\/p>\n\n\n\n
\/usr\/local\/cpanel\/cpanel -V<\/code><\/pre>\n\n\n\n
Verify the output matches one of the patched versions listed in the table above.<\/p>\n\n\n\n
Step 4 \u2014 Perform a hard restart of the cPanel service:<\/strong><\/p>\n\n\n\n
\/scripts\/restartsrv_cpsrvd --hard<\/code><\/pre>\n\n\n\n
\n
Note:<\/strong> If you have disabled automatic cPanel updates or pinned your server to a specific version, it will not have auto-updated. Identify and update these servers manually as a priority.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n
If You Cannot Update Immediately<\/h3>\n\n\n
Apply one of the following mitigations to reduce exposure while you prepare the update:<\/p>\n\n\n\n
Option A \u2014 Block cPanel ports at the firewall:<\/strong><\/p>\n\n\n\n
Block inbound traffic on ports 2083<\/code>, 2087<\/code>, 2095<\/code>, and 2096<\/code>.<\/p>\n\n\n\n
Option B \u2014 Stop the cPanel service entirely:<\/strong><\/p>\n\n\n\n
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \\\nwhmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \\\n\/scripts\/restartsrv_cpsrvd --stop && \\\n\/scripts\/restartsrv_cpdavd --stop<\/code><\/pre>\n\n\n\n
This will take cPanel and Webmail offline. Only use this if you have an alternative way to manage the server (SSH\/WHM API) and downtime is acceptable.<\/p>\n\n\n\n
\n\n\n
Checking for Indicators of Compromise<\/h3>\n\n\n
cPanel has released a detection script that scans session files for signs of exploitation. Save the script below as ioc_checksessions_files.sh<\/code>, then run it:<\/p>\n\n\n\n
\/bin\/bash .\/ioc_checksessions_files.sh<\/code><\/pre>\n\n\n\n
The script checks for six distinct exploitation patterns across session files in \/var\/cpanel\/sessions\/raw\/<\/code> and produces a severity-graded summary:<\/p>\n\n\n\n
=================================================================\n                       SCAN SUMMARY\n=================================================================\n  CRITICAL findings: 1\n  WARNING  findings: 0\n  ATTEMPT  findings: 1\n  INFO     findings: 0\n  Total            : 2<\/code><\/pre>\n\n\n\n
Severity levels:<\/strong><\/p>\n\n\n\n
Severity<\/th>Meaning<\/th><\/tr><\/thead>
CRITICAL<\/td>Active exploitation confirmed. The injected session was used to authenticate successfully.<\/td><\/tr>
WARNING<\/td>Suspicious session structure that cannot occur in a legitimate flow.<\/td><\/tr>
ATTEMPT<\/td>A failed exploit attempt was detected \u2014 session was probed but authentication was not achieved.<\/td><\/tr>
INFO<\/td>Anomalous but inconclusive. Monitor and investigate.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
The script also accepts the following optional flags:<\/p>\n\n\n\n
Flag<\/th>Description<\/th><\/tr><\/thead>
--verbose<\/code><\/td>Dump full contents of flagged session files<\/td><\/tr>
--purge<\/code><\/td>Delete all flagged session files and their preauth markers<\/td><\/tr>
--yes<\/code><\/td>Skip interactive confirmation when used with --purge<\/code> (required in cron\/non-TTY environments)<\/td><\/tr>
--sessions-dir DIR<\/code><\/td>Override the default \/var\/cpanel\/sessions<\/code> path<\/td><\/tr>
--access-log FILE<\/code><\/td>Override the default access log path<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Exit codes<\/strong> (useful for monitoring integrations):<\/p>\n\n\n\n
Code<\/th>Meaning<\/th><\/tr><\/thead>
0<\/code><\/td>Clean \u2014 no indicators found<\/td><\/tr>
1<\/code><\/td>Probing activity detected (ATTEMPT or INFO only)<\/td><\/tr>
2<\/code><\/td>Compromise indicators detected (CRITICAL or WARNING present)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Detection Script:<\/strong><\/p>\n\n\n\n
#!\/bin\/bash\n# Scan for compromised cPanel\/WHM session files.\n\nSESSIONS_DIR=\"\/var\/cpanel\/sessions\"\nACCESS_LOG=\"\/usr\/local\/cpanel\/logs\/access_log\"\nVERBOSE=0\nPURGE=0\nASSUME_YES=0\n\nwhile [ $# -gt 0 ]; do\n    case \"$1\" in\n        --verbose) VERBOSE=1 ;;\n        --purge) PURGE=1 ;;\n        --yes|-y) ASSUME_YES=1 ;;\n        --sessions-dir) SESSIONS_DIR=\"$2\"; shift ;;\n        --access-log) ACCESS_LOG=\"$2\"; shift ;;\n        --help|-h)\n            echo \"Usage: $0 [--verbose] [--purge [--yes]] [--sessions-dir DIR] [--access-log FILE]\"\n            exit 0 ;;\n        *) echo \"Unknown argument: $1\" >&2; exit 1 ;;\n    esac\n    shift\ndone\n\nFINDINGS=()\nFINDING_SESSIONS=()\nFINDING_TOKENS=()\nFINDING_SEVERITIES=()\nCOUNT_CRITICAL=0\nCOUNT_WARNING=0\nCOUNT_INFO=0\nCOUNT_ATTEMPT=0\n\nget_field() { grep \"^${2}=\" \"$1\" | head -1 | cut -d= -f2-; }\nhr() { echo \"    ----------------------------------------------------------------\"; }\n\ndump_session() {\n    local session_file=\"$1\" token_val=\"$2\" session_name preauth_file\n    session_name=$(basename \"$session_file\")\n    preauth_file=\"$SESSIONS_DIR\/preauth\/$session_name\"\n    hr\n    echo \"    SESSION DUMP: $session_file\"\n    hr\n    echo \"    File metadata:\"\n    ls -la \"$session_file\" 2>\/dev\/null | sed 's\/^\/      \/'\n    echo\n    echo \"    Full session contents:\"\n    sed 's\/^\/      \/' \"$session_file\"\n    echo\n    if [ -f \"$preauth_file\" ]; then\n        echo \"    Matching pre-auth file: $preauth_file\"\n        ls -la \"$preauth_file\" 2>\/dev\/null | sed 's\/^\/      \/'\n        echo \"    Pre-auth contents:\"\n        sed 's\/^\/      \/' \"$preauth_file\"\n        echo\n    fi\n    if [ -n \"$token_val\" ] && [ -r \"$ACCESS_LOG\" ]; then\n        echo \"    Access log hits for token '$token_val':\"\n        grep -aF -- \"$token_val\" \"$ACCESS_LOG\" | sed 's\/^\/      \/' || echo \"      (none)\"\n        echo\n    fi\n    hr\n}\n\nreport_finding() {\n    local severity=\"$1\" session_file=\"$2\" token_val=\"$3\" message=\"$4\"\n    local sev_rank=0\n    case \"$severity\" in CRITICAL) sev_rank=3 ;; WARNING) sev_rank=2 ;; ATTEMPT) sev_rank=1 ;; INFO) sev_rank=0 ;; esac\n    local i found=0 prev_sev prev_rank\n    for i in \"${!FINDING_SESSIONS[@]}\"; do\n        if [ \"${FINDING_SESSIONS[$i]}\" = \"$session_file\" ]; then\n            found=1\n            prev_sev=\"${FINDING_SEVERITIES[$i]}\"\n            case \"$prev_sev\" in CRITICAL) prev_rank=3 ;; WARNING) prev_rank=2 ;; ATTEMPT) prev_rank=1 ;; INFO) prev_rank=0 ;; esac\n            if [ \"$sev_rank\" -le \"$prev_rank\" ]; then return; fi\n            FINDING_SEVERITIES[$i]=\"$severity\"\n            [ -n \"$token_val\" ] && FINDING_TOKENS[$i]=\"$token_val\"\n            local j\n            for j in \"${!FINDINGS[@]}\"; do\n                local entry=\"${FINDINGS[$j]}\" entry_sev entry_file\n                entry_sev=\"${entry%%|*}\"\n                entry_file=\"${entry#*|}\"; entry_file=\"${entry_file%%|*}\"\n                if [ \"$entry_file\" = \"$session_file\" ] && [ \"$entry_sev\" = \"$prev_sev\" ]; then\n                    FINDINGS[$j]=\"${severity}|${session_file}|${message}\"; break\n                fi\n            done\n            case \"$prev_sev\" in CRITICAL) COUNT_CRITICAL=$((COUNT_CRITICAL-1)) ;; WARNING) COUNT_WARNING=$((COUNT_WARNING-1)) ;; ATTEMPT) COUNT_ATTEMPT=$((COUNT_ATTEMPT-1)) ;; INFO) COUNT_INFO=$((COUNT_INFO-1)) ;; esac\n            break\n        fi\n    done\n    if [ \"$found\" -eq 0 ]; then\n        FINDING_SESSIONS+=(\"$session_file\")\n        FINDING_TOKENS+=(\"$token_val\")\n        FINDING_SEVERITIES+=(\"$severity\")\n        FINDINGS+=(\"${severity}|${session_file}|${message}\")\n    fi\n    case \"$severity\" in CRITICAL) COUNT_CRITICAL=$((COUNT_CRITICAL+1)) ;; WARNING) COUNT_WARNING=$((COUNT_WARNING+1)) ;; ATTEMPT) COUNT_ATTEMPT=$((COUNT_ATTEMPT+1)) ;; INFO) COUNT_INFO=$((COUNT_INFO+1)) ;; esac\n    echo \"[${severity}] ${message}: ${session_file}\"\n}\n\ncheck_token_denied_with_injected_token() {\n    local session_file=\"$1\"\n    grep -q '^token_denied=' \"$session_file\" || return\n    grep -q '^cp_security_token=' \"$session_file\" || return\n    local token_val external_auth internal_auth hasroot tfa used\n    token_val=$(get_field \"$session_file\" cp_security_token)\n    external_auth=$(get_field \"$session_file\" successful_external_auth_with_timestamp)\n    internal_auth=$(get_field \"$session_file\" successful_internal_auth_with_timestamp)\n    hasroot=$(get_field \"$session_file\" hasroot)\n    tfa=$(get_field \"$session_file\" tfa_verified)\n    used=\"\"\n    if [ -r \"$ACCESS_LOG\" ]; then\n        used=$(grep -aF -- \"$token_val\" \"$ACCESS_LOG\" | grep -m1 \" 200 \")\n    fi\n    local has_auth_markers=0\n    if [ -n \"$external_auth\" ] || [ -n \"$internal_auth\" ] || [ \"$hasroot\" = \"1\" ] || [ \"$tfa\" = \"1\" ] || [ -n \"$used\" ]; then\n        has_auth_markers=1\n    fi\n    if grep -q '^origin_as_string=.*method=badpass' \"$session_file\"; then\n        if [ \"$has_auth_markers\" -eq 1 ]; then\n            report_finding CRITICAL \"$session_file\" \"$token_val\" \"Exploitation artifact - token_denied with injected cp_security_token (badpass origin, token used)\"\n        else\n            if grep -q '^pass=' \"$session_file\"; then return; fi\n            report_finding INFO \"$session_file\" \"$token_val\" \"Possible injected session (badpass origin, no usage observed)\"\n        fi\n    elif grep -q '^origin_as_string=.*method=handle_form_login' \"$session_file\" || \\\n         grep -q '^origin_as_string=.*method=create_user_session' \"$session_file\" || \\\n         grep -q '^origin_as_string=.*method=handle_auth_transfer' \"$session_file\"; then\n        return\n    else\n        report_finding WARNING \"$session_file\" \"$token_val\" \"Suspicious session with token_denied + cp_security_token (non-badpass origin)\"\n    fi\n}\n\ncheck_preauth_with_auth_attrs() {\n    local session_file=\"$1\" session_name preauth_file\n    session_name=$(basename \"$session_file\")\n    preauth_file=\"$SESSIONS_DIR\/preauth\/$session_name\"\n    [ -f \"$preauth_file\" ] || return\n    local marker\n    if grep -qE '^successful_external_auth_with_timestamp=' \"$session_file\"; then\n        marker=\"successful_external_auth_with_timestamp\"\n    elif grep -qE '^successful_internal_auth_with_timestamp=' \"$session_file\"; then\n        marker=\"successful_internal_auth_with_timestamp\"\n    else\n        return\n    fi\n    report_finding CRITICAL \"$session_file\" \"$(get_field \"$session_file\" cp_security_token)\" \"Injected session - ${marker} present in pre-auth session\"\n}\n\ncheck_tfa_with_bad_origin() {\n    local session_file=\"$1\"\n    grep -qE '^tfa_verified=1$' \"$session_file\" || return\n    grep -q '^origin_as_string=.*method=handle_form_login' \"$session_file\" && return\n    grep -q '^origin_as_string=.*method=create_user_session' \"$session_file\" && return\n    grep -q '^origin_as_string=.*method=handle_auth_transfer' \"$session_file\" && return\n    report_finding WARNING \"$session_file\" \"$(get_field \"$session_file\" cp_security_token)\" \"Session with tfa_verified=1 but suspicious origin\"\n}\n\ncheck_malformed_session_line() {\n    local session_file=\"$1\"\n    grep -nE -v '^[A-Za-z_][A-Za-z0-9_]*=|^[[:space:]]*$' \"$session_file\" >\/dev\/null 2>&1 || return\n    report_finding CRITICAL \"$session_file\" \"$(get_field \"$session_file\" cp_security_token)\" \"Malformed session line(s) detected (not key=value - newline injection footprint)\"\n}\n\ncheck_badpass_with_auth_markers() {\n    local session_file=\"$1\"\n    grep -q '^origin_as_string=.*method=badpass' \"$session_file\" || return\n    local markers=()\n    grep -q '^successful_external_auth_with_timestamp=' \"$session_file\" && markers+=(\"successful_external_auth_with_timestamp\")\n    grep -q '^successful_internal_auth_with_timestamp=' \"$session_file\" && markers+=(\"successful_internal_auth_with_timestamp\")\n    grep -qE '^hasroot=1$' \"$session_file\" && markers+=(\"hasroot=1\")\n    grep -qE '^tfa_verified=1$' \"$session_file\" && markers+=(\"tfa_verified=1\")\n    [ \"${#markers[@]}\" -gt 0 ] || return\n    local joined; joined=$(IFS=,; echo \"${markers[*]}\")\n    report_finding CRITICAL \"$session_file\" \"$(get_field \"$session_file\" cp_security_token)\" \"badpass origin combined with authenticated markers ($joined) - impossible in benign flow\"\n}\n\ncheck_failed_exploit_attempt() {\n    local session_file=\"$1\"\n    grep -q '^origin_as_string=.*method=badpass' \"$session_file\" || return\n    grep -q '^token_denied=' \"$session_file\" || return\n    grep -q '^successful_internal_auth_with_timestamp=' \"$session_file\" && return\n    grep -q '^successful_external_auth_with_timestamp=' \"$session_file\" && return\n    grep -q '^pass=' \"$session_file\" || return\n    report_finding ATTEMPT \"$session_file\" \"$(get_field \"$session_file\" cp_security_token)\" \"Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line)\"\n}\n\nscan_sessions() {\n    local session_file\n    while IFS= read -r -d '' session_file; do\n        check_token_denied_with_injected_token \"$session_file\"\n        check_preauth_with_auth_attrs \"$session_file\"\n        check_tfa_with_bad_origin \"$session_file\"\n        check_malformed_session_line \"$session_file\"\n        check_badpass_with_auth_markers \"$session_file\"\n        check_failed_exploit_attempt \"$session_file\"\n    done < <(find \"$SESSIONS_DIR\/raw\" -type f -print0 2>\/dev\/null)\n}\n\nprint_summary() {\n    local total=$((COUNT_CRITICAL+COUNT_WARNING+COUNT_INFO+COUNT_ATTEMPT))\n    echo\n    echo \"=================================================================\"\n    echo \"                       SCAN SUMMARY\"\n    echo \"=================================================================\"\n    echo \"  CRITICAL findings: $COUNT_CRITICAL\"\n    echo \"  WARNING  findings: $COUNT_WARNING\"\n    echo \"  ATTEMPT  findings: $COUNT_ATTEMPT\"\n    echo \"  INFO     findings: $COUNT_INFO\"\n    echo \"  Total            : $total\"\n    echo \"-----------------------------------------------------------------\"\n    if [ \"$total\" -eq 0 ]; then echo \"[+] No indicators of compromise found.\"; return; fi\n    if [ \"$PURGE\" -eq 1 ] && [ \"$ASSUME_YES\" -ne 1 ]; then\n        if [ ! -t 0 ]; then\n            echo \"[ERROR] --purge requires --yes when stdin is not a TTY\" >&2; exit 64\n        fi\n        echo\n        echo \"About to delete ${#FINDING_SESSIONS[@]} session file(s) plus matching preauth markers.\"\n        local confirm=\"\"\n        read -r -p \"Type 'yes' to confirm: \" confirm\n        if [ \"$confirm\" != \"yes\" ]; then echo \"[+] Aborted; no files deleted.\"; PURGE=0; fi\n    fi\n    local i session token severity message found=0\n    for i in \"${!FINDING_SESSIONS[@]}\"; do\n        session=\"${FINDING_SESSIONS[$i]}\"\n        token=\"${FINDING_TOKENS[$i]}\"\n        severity=\"${FINDING_SEVERITIES[$i]}\"\n        found=0\n        for entry in \"${FINDINGS[@]}\"; do\n            local entry_sev entry_file entry_msg\n            IFS='|' read -r entry_sev entry_file entry_msg <<< \"$entry\"\n            if [ \"$entry_file\" = \"$session\" ] && [ \"$entry_sev\" = \"$severity\" ]; then\n                message=\"$entry_msg\"; found=1; break\n            fi\n        done\n        echo\n        echo \"=================================================================\"\n        echo \"  SESSION: $session\"\n        echo \"=================================================================\"\n        echo \"  Findings:\"\n        if [ \"$found\" -eq 1 ]; then printf \"    [%-8s] %s\\n\" \"$severity\" \"$message\"\n        else printf \"    [%-8s] %s\\n\" \"$severity\" \"(no message found)\"; fi\n        echo\n        if [ \"$VERBOSE\" -eq 1 ]; then dump_session \"$session\" \"$token\"; fi\n        if [ \"$PURGE\" -eq 1 ]; then\n            echo \"    [ACTION] Deleting session file: $session\"\n            rm -f -- \"$session\"\n            local preauth_marker=\"$SESSIONS_DIR\/preauth\/$(basename \"$session\")\"\n            if [ -e \"$preauth_marker\" ]; then\n                echo \"    [ACTION] Deleting preauth marker: $preauth_marker\"\n                rm -f -- \"$preauth_marker\"\n            fi\n        fi\n    done\n    if [ \"$COUNT_CRITICAL\" -gt 0 ] || [ \"$COUNT_WARNING\" -gt 0 ]; then\n        echo\n        echo \"[!] INDICATORS OF COMPROMISE DETECTED - IMMEDIATE ACTION REQUIRED\"\n        echo \"    1. Purge all affected sessions\"\n        echo \"    2. Force password reset for root and all WHM users\"\n        echo \"    3. Audit \/var\/log\/wtmp and WHM access logs for unauthorized access\"\n        echo \"    4. Check for persistence mechanisms (cron, SSH keys, backdoors)\"\n    fi\n}\n\nif [ ! -d \"$SESSIONS_DIR\/raw\" ]; then\n    echo \"[ERROR] Sessions directory not found: $SESSIONS_DIR\/raw\" >&2\n    echo \"        Pass --sessions-dir DIR to point at a different location\" >&2\n    exit 64\nfi\n\necho \"[*] Scanning session files for injection indicators...\"\nscan_sessions\nprint_summary\n\nif [ \"$COUNT_CRITICAL\" -gt 0 ] || [ \"$COUNT_WARNING\" -gt 0 ]; then exit 2\nelif [ \"$COUNT_ATTEMPT\" -gt 0 ] || [ \"$COUNT_INFO\" -gt 0 ]; then exit 1\nfi\nexit 0<\/code><\/pre>\n\n\n\n
\n\n\n
If the Server Is Confirmed Compromised<\/h3>\n\n\n
If the detection script returns CRITICAL or WARNING findings, the server should be treated as root-compromised until proven otherwise.<\/p>\n\n\n\n
Immediate actions:<\/strong><\/p>\n\n\n\n
    \n
  1. Purge all flagged session files (use --purge --yes<\/code> with the detection script).<\/li>\n\n\n\n
  2. Force a password reset for root<\/code> and all WHM-level users.<\/li>\n\n\n\n
  3. Audit \/var\/log\/wtmp<\/code> and WHM access logs for unauthorized logins.<\/li>\n\n\n\n
  4. Check for persistence mechanisms: cron jobs, added SSH authorized keys, webshells, and any new system users.<\/li>\n\n\n\n
  5. If you cannot confirm the scope of the compromise, migrate all cPanel accounts to a clean server or reinstall the OS and restore from a known-good backup.<\/li>\n<\/ol>\n\n\n\n
    \n\n\n
    CVE-2026-31431 \u2014 Linux Kernel “Copy Fail” Local Privilege Escalation<\/h2>\n\n
    What This Vulnerability Does<\/h3>\n\n\n
    CVE-2026-31431, nicknamed “Copy Fail,” is a local privilege escalation vulnerability in the Linux kernel. Any unprivileged local user \u2014 including users inside containers \u2014 can use it to obtain a root shell. It was introduced with kernel 4.14 and affects all major Linux distributions that have shipped a kernel in that range since 2017, including Ubuntu, Amazon Linux, RHEL, and SUSE.<\/p>\n\n\n\n
    The flaw is in the authencesn<\/code> cryptographic module (algif_aead.c<\/code>), reachable via the AF_ALG<\/code> socket interface combined with the splice()<\/code> system call. Unlike earlier kernel privilege escalation exploits, it requires no race condition, no kernel offsets, no recompilation, and no compiled payload. A 732-byte Python script using only standard library modules achieves reliable root on affected systems.<\/p>\n\n\n\n
    The mechanism: by splicing a file into a pipe and feeding it into an AF_ALG<\/code> socket, the kernel’s page cache pages are placed into a writable destination scatterlist. The authencesn<\/code> algorithm then writes 4 bytes past the declared output boundary directly into chained page cache pages. Because the kernel never marks those corrupted pages dirty for writeback, the on-disk file is untouched \u2014 standard file integrity tools that check on-disk checksums will not detect the modification. The attacker then executes the corrupted in-memory version of a setuid binary (such as \/usr\/bin\/su<\/code>) to obtain a root shell.<\/p>\n\n\n\n
    This vulnerability also functions as a Kubernetes container escape primitive, since the page cache is shared across all processes on a host, including across container boundaries.<\/p>\n\n\n\n
    Confirmed affected distributions:<\/strong><\/p>\n\n\n\n
    Distribution<\/th>Kernel Version Tested<\/th><\/tr><\/thead>
    Ubuntu 24.04 LTS<\/td>6.17.0-1007-aws<\/td><\/tr>
    Amazon Linux 2023<\/td>6.18.8-9.213.amzn2023<\/td><\/tr>
    RHEL 14.3<\/td>6.12.0-124.45.1.el10_1<\/td><\/tr>
    SUSE 16<\/td>6.12.0-160000.9-default<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \n\n\n
    How to Patch CVE-2026-31431<\/h3>\n\n\n
    Step 1 \u2014 Apply the kernel update through your distribution’s package manager.<\/strong><\/p>\n\n\n\n
    On Debian\/Ubuntu:<\/p>\n\n\n\n
    apt update && apt upgrade -y linux-image-$(uname -r)\nreboot<\/code><\/pre>\n\n\n\n
    On RHEL\/AlmaLinux\/Rocky Linux:<\/p>\n\n\n\n
    dnf update kernel -y\nreboot<\/code><\/pre>\n\n\n\n
    On Amazon Linux 2023:<\/p>\n\n\n\n
    dnf update kernel -y\nreboot<\/code><\/pre>\n\n\n\n
    On SUSE:<\/p>\n\n\n\n
    zypper update -y kernel-default\nreboot<\/code><\/pre>\n\n\n\n
    Step 2 \u2014 Verify the kernel version after reboot:<\/strong><\/p>\n\n\n\n
    uname -r<\/code><\/pre>\n\n\n\n
    Cross-reference the output against your distribution’s security advisory to confirm the patched build is running.<\/p>\n\n\n\n
    \n\n\n
    Immediate Mitigation (If You Cannot Reboot Now)<\/h3>\n\n\n
    Disable the algif_aead<\/code> kernel module to remove the attack surface without rebooting:<\/p>\n\n\n\n
    echo \"install algif_aead \/bin\/false\" > \/etc\/modprobe.d\/disable-algif-aead.conf\nrmmod algif_aead 2>\/dev\/null<\/code><\/pre>\n\n\n\n
    This prevents the module from loading or being loaded on demand. The second command unloads it if it is currently loaded. The change persists across reboots via the modprobe.d<\/code> configuration.<\/p>\n\n\n\n
    \n
    Note:<\/strong> This mitigation blocks the exploit path but does not fix the underlying kernel vulnerability. Apply the kernel update and reboot as soon as your maintenance window allows.<\/p>\n<\/blockquote>\n\n\n\n
    \n\n\n
    Prevention<\/h2>\n\n\n
    These two vulnerabilities highlight two recurring issues worth addressing systematically.<\/p>\n\n\n\n
    For cPanel servers:<\/strong><\/p>\n\n\n\n