CopyFail Patching Guide

CopyFail is a CPU-related side-channel vulnerability in hardware-accelerated cryptography.
On a vulnerable server, this could potentially enable leakage of cryptographic keys from userspace in the worst case.

CVE: CVE-2026-31431

Recommended Action (Patch)

General: Upgrade all packages and reboot the server.

Ubuntu

sudo apt update && sudo apt install --only-upgrade kmod
sudo reboot

Rocky Linux / Oracle Linux

Awaiting

Patch Verification

You can use the following Python script to verify that the mitigation has been applied correctly:

python3 -c 'import socket; s=socket.socket(38,5,0);
try:
    s.bind(("aead","authencesn(hmac(sha256),cbc(aes))"))
    print("AEAD interface present")
except OSError:
    print("AEAD interface disabled")'

Expected output after patching:
AEAD interface disabled

If the output shows “AEAD interface present”, the server is still vulnerable.

Temporary Workaround (if patching is not possible now)

If the server cannot be patched immediately, hardware-accelerated cryptography can be temporarily disabled for affected services/applications (e.g., via relevant environment variables) until patching and reboot can be performed.

Note: This may have performance impact but reduces the risk.

Kernel Configuration Options

The mitigation depends on kernel configuration:

• If kernel config has CONFIG_CRYPTO_USER_API_AEAD=m:

  echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
  sudo rmmod algif_aead
  

• If kernel config has CONFIG_CRYPTO_USER_API_AEAD=y:

  Add initcall_blacklist=algif_aead_init to kernel command line and reboot.

Last updated: May 1, 2026