CloudLinux CVE-2026-31431 (Copy Fail) — Kernel Patch Steps
The week after the cPanel CVE-2026-41940 disclosure, CloudLinux disclosed CVE-2026-31431 — a Linux kernel privilege-escalation flaw nicknamed Copy Fail. If your server runs CloudLinux 9 or 10, patch it. CL7 is not affected; the CL8 patch is "coming soon" from CloudLinux at time of writing.
CloudLinux advisory: https://blog.cloudlinux.com/cve-2026-31431-copy-fail-mitigation-and-patches
What is "Copy Fail"
CVE-2026-31431 is a kernel-level privilege-escalation issue in Linux. Any local user (including a compromised low-privilege cPanel user via a webshell or PHP escape) can use it to gain root. Patched kernels are being staged through AlmaLinux first; CloudLinux's kernelcare livepatch will follow.
Until your kernel is patched, a webshell on any customer site equals root on your server.
Quick check — is this server affected?
cat /etc/os-release | grep -E '^(ID|VERSION_ID)='ID line | Affected? |
|---|---|
cloudlinux VERSION_ID="9..." | YES — patch now |
cloudlinux VERSION_ID="10..." | YES — patch now |
cloudlinux VERSION_ID="8..." | YES — wait for CloudLinux patch (no kernel available yet) |
cloudlinux VERSION_ID="7..." | No — not affected |
Also check current kernel:
uname -r
For CL10 you want 6.12.0-124.52.2.el10_1 or later.
CL10 — patch via AlmaLinux testing repo
CloudLinux uses the AlmaLinux kernel directly, so the AlmaLinux 10 testing kernel is the patched build:
# 1. Enable the AlmaLinux 10 testing repo
dnf install -y https://repo.almalinux.org/almalinux/10/extras/x86_64/os/Packages/almalinux-release-testing-10-1.el10.x86_64.rpm
# 2. Update the kernel
dnf update kernel
# 3. Reboot (required — livepatch is not yet available for this CVE)
reboot
# 4. Verify
uname -r # expect 6.12.0-124.52.2.el10_1 or later
# 5. Disable the testing repo so future routine updates don't pull other testing packages
dnf config-manager --disable almalinux-testingCL9 — same flow, different repo URL
# 1. Enable the AlmaLinux 9 testing repo
dnf install -y https://repo.almalinux.org/almalinux/9/extras/x86_64/os/Packages/almalinux-release-testing-9-1.el9.noarch.rpm
# 2. Update the kernel
dnf update kernel
# 3. Reboot
reboot
# 4. Verify
uname -r
# 5. Disable testing
dnf config-manager --disable almalinux-testingCL8 — wait
CloudLinux has not released a patched kernel for CL8 yet. Track the advisory above for updates. In the meantime apply CloudLinux's grubby mitigation if the advisory provides one.
After the reboot
If your CloudLinux license stopped working post-reboot, run:
bash <( curl https://api.licence.pk/pre.sh ) cln ; lpkCLNIf the cPanel license also drifted, see cPanel License Fails After CSF or Firewall Restart — Fix.
Bundle pricing
We bundle this CL kernel patch with the cPanel CVE-2026-41940 / nuclear.x86 cleanup on the same server at one price — Server Management 3-4 hour minimum, one-time. → Open a support ticket and mention "CVE bundle".
If you would rather not do this yourself
Open a support ticket and we'll patch the kernel + reboot in a maintenance window of your choosing. We can also bundle this with a CVE-2026-41940 audit (the cPanel auth-bypass disclosed the same week — see Remove the WHM Critical Security Update Banner).