I have Zorin OS 18.1 (kernel 6.17) and I'm concerned about the recent Copy Fail (CVE-2026-31431) Linux kernel vulnerability that allows local privilege escalation to root.
Questions:
Is a official patch/kernel update being worked on for Zorin OS 18.1?
When can we expect the patch release (Linux 6.18.22+ or backport)?
Are there currently available HWE kernels with the fix in Zorin repositories?
For now, I've temporarily blacklisted the algif_aead module, but I'm waiting for an official solution.
From what I can see, CVE-2026-31431 is a real Linux kernel issue in the algif_aead area and Ubuntu currently marks it as High priority. Zorin OS 18.1 is based on Ubuntu 24.04 LTS and uses kernel 6.17, so I would expect the safest fix to come through the normal Zorin/Ubuntu update channels rather than installing a random mainline kernel manually.
I am not part of the Zorin OS team, so I cannot give an official timeline.
For now, I would personally keep the system fully updated through Software Updater or apt, avoid running untrusted local code, and avoid installing unofficial kernel packages unless there is a clear recommendation from Zorin or Ubuntu.
Your temporary algif_aead blacklist may be a reasonable mitigation if you know that nothing on your system depends on that module, but it should probably be treated as temporary until the official kernel update is available.
It would be good if someone from the Zorin team or a more experienced kernel/Ubuntu user could confirm the exact package version or update path for Zorin OS 18.1.
Here You will have to wait for a Kernel Update. The Updates come from Ubuntu. So, it is up to them. When You see a Kernel Update in the Software Updater, click on the Packages and then You get the Changelog in the bottom Half of the Window. There You can check if a Patch for this CVE is included.
I got today an Update over the Software Updater. Besides Kernel Updates came an Update for kmod/libkmod which is related to this Security Vulnerability. So, there doesn't come a Kernel Patch to say that clear.
The Update makes that what the Explorer of the Security Issue already delivered: It disables the problematic Module. When updated, You can check that in the Directory /etc/modprobe.d/ that there is a File called disable-algif_aead.conf
Ars Technica used some explosive headlines which got a forum member emailing me. As with other vulnerabilities that get reported, the devil is in the detail. Are you offering B&B to a hacker in your home allowing them to use your machine and inject the code? From what I read, this needs someone to have local access to your machine, not a remote attack. Where I can see it as a possible issue are for Sys Admins running an Ubuntu network with many nodes where a user could escalate their standard user status to one of administrator and potentially cause other network damage once they achieved that status.
As a "non-tech" who fled MS Windows and picked the Zorin distro, I have tried running the Software Updater Zorin program several times to get anything relevant to this Copy Fail fix that is available. However, the updater program fails every time, telling me to check my Internet connection (which is fine). Is this happening because of the Copy Fail vulernability or is it happening because whatever sources Zorin uses are just flooded with traffic now? Or?
I'm not familiar with this particular guy, but it's a good example of why I try not to get my news from people who make faces into a camera on their thumbnail. "Every Linux?" When Ars broke the story, there were already security updates for 6.19, 6.18, 6.12, 6.6, 6.1, 5.15, and 5.10. 7.0 released two and a half weeks ago with no need for an update because this was already fixed. Fedora, Arch, and derivatives that update their kernels when their parent does were fine at the time that video went up.
I'm not suggesting CopyFail isn't serious and it's certainly widespread. For the broader, non-home user Linux community it's a MASSIVE issue. Distributions should update to mitigate it quickly, and home users comfortable with updating their own kernel should probably consider it. I acknowledge that the vast majority of distributions had not mitigated the issue yet. But MAN I hate blatant falsehood posted as hyperbole. (Edit: For clarity, I'm not rebuking you, Ponce de Leon; it's the YouTuber I'm venting about.)
For most home users this is almost certainly true, but it doesn't require physical access if someone has a means by which to get a script on a machine and execute it, and it'll break boundaries, so while I'd like to think most Linux users are savvy enough not to run something they were just sent, social engineering tricks may apply.
And that's why you won't find me on any Social Media or use any Social Media Comms like WhatsApp and Instagram.
I think where home users might be concerned is with Cloud Storage. MS was quick to point out about potential issues with other cloud providers and not Azure, but interestingly on Ubuntu status it states that Azure components are now operational.
I have posed this issue to my Cloud Provider, murena, and at time of writing this I have not checked to see if there is a response. They use Nextcloud software. I suspect they use Linux servers as their founder is Gaël Duval creator of Mandrake Linux.
Thanks for the insights @swarfendor437 . Just like @Texas22Step I recently fled windows for Zorin and was a bit afraid of this.
I can also confirm that the software updater is very unreliable right now. Not only does loading take a lot of time, but checking & un-checking does make the application hang.
Reading that it's not that big of an attack vector for home users is a relief
Is there a test script that we can run to check whether or not our system is affected by CopyFail?
There is also another, even more serious vulnerability called DirtyFrag. Is there a test script to test if we are currently vulnerable to that as well?
install pro-client if not done: sudo apt install ubuntu-pro-client
copy fail check: sudo pro fix CVE-2026-31431
pack2theroot check: sudo pro fix CVE-2026-41651
dirtyfrag check: sudo pro fix CVE-2026-43500 and sudo pro fix CVE-2026-43284
to run the check you net connection to web. If you connection fails, try to establish vpn to uk. this is doing fine for all kernel versions and zorin 17.3 as well.
EDIT
Just for clarification... The above workaround can be used without going for pro subscription, the machine you are checking has not to be attached to an Ubuntu Pro subscription
Whenever I see such type thumbnails on videos, I ignore the video.
