CVE-2026-31431 (Copy Fail) Patch Status for Zorin OS 18.1

Hello community,

I have Zorin OS 18.1 (kernel 6.17) and I'm concerned about the recent Copy Fail (CVE-2026-31431) Linux kernel vulnerability that allows local privilege escalation to root.

Questions:

Is a official patch/kernel update being worked on for Zorin OS 18.1?

When can we expect the patch release (Linux 6.18.22+ or backport)?

Are there currently available HWE kernels with the fix in Zorin repositories?

For now, I've temporarily blacklisted the algif_aead module, but I'm waiting for an official solution.

Thanks for the info!

Welcome to the Forum!

Here You will have to wait for a Kernel Update. The Updates come from Ubuntu. So, it is up to them. When You see a Kernel Update in the Software Updater, click on the Packages and then You get the Changelog in the bottom Half of the Window. There You can check if a Patch for this CVE is included.

UPDATE:

I got today an Update over the Software Updater. Besides Kernel Updates came an Update for kmod/libkmod which is related to this Security Vulnerability. So, there doesn't come a Kernel Patch to say that clear.

The Update makes that what the Explorer of the Security Issue already delivered: It disables the problematic Module. When updated, You can check that in the Directory /etc/modprobe.d/ that there is a File called disable-algif_aead.conf

Here some Pictures to show it:

Bildschirmfoto vom 2026-05-01 11-15-334056×2376 415 KB

Bildschirmfoto vom 2026-05-01 11-19-252280×1332 149 KB

Bildschirmfoto vom 2026-05-01 11-19-321740×1176 100 KB

Ars Technica used some explosive headlines which got a forum member emailing me. As with other vulnerabilities that get reported, the devil is in the detail. Are you offering B&B to a hacker in your home allowing them to use your machine and inject the code? From what I read, this needs someone to have local access to your machine, not a remote attack. Where I can see it as a possible issue are for Sys Admins running an Ubuntu network with many nodes where a user could escalate their standard user status to one of administrator and potentially cause other network damage once they achieved that status.

Only to add that: Brodie Robertson made a Video about this:

As a "non-tech" who fled MS Windows and picked the Zorin distro, I have tried running the Software Updater Zorin program several times to get anything relevant to this Copy Fail fix that is available. However, the updater program fails every time, telling me to check my Internet connection (which is fine). Is this happening because of the Copy Fail vulernability or is it happening because whatever sources Zorin uses are just flooded with traffic now? Or?

I think it is because of the problems with the ubuntu servers and high demand.

At the Moment is a Server Issue:

I'm not familiar with this particular guy, but it's a good example of why I try not to get my news from people who make faces into a camera on their thumbnail. "Every Linux?" When Ars broke the story, there were already security updates for 6.19, 6.18, 6.12, 6.6, 6.1, 5.15, and 5.10. 7.0 released two and a half weeks ago with no need for an update because this was already fixed. Fedora, Arch, and derivatives that update their kernels when their parent does were fine at the time that video went up.

I'm not suggesting CopyFail isn't serious and it's certainly widespread. For the broader, non-home user Linux community it's a MASSIVE issue. Distributions should update to mitigate it quickly, and home users comfortable with updating their own kernel should probably consider it. I acknowledge that the vast majority of distributions had not mitigated the issue yet. But MAN I hate blatant falsehood posted as hyperbole. (Edit: For clarity, I'm not rebuking you, Ponce de Leon; it's the YouTuber I'm venting about.)

For most home users this is almost certainly true, but it doesn't require physical access if someone has a means by which to get a script on a machine and execute it, and it'll break boundaries, so while I'd like to think most Linux users are savvy enough not to run something they were just sent, social engineering tricks may apply.

I would take the Thumbnail too serious. He makes in my Opinion good Videos. Explains Stuff good with a bit of Humor.

And that's why you won't find me on any Social Media or use any Social Media Comms like WhatsApp and Instagram.

I think where home users might be concerned is with Cloud Storage. MS was quick to point out about potential issues with other cloud providers and not Azure, but interestingly on Ubuntu status it states that Azure components are now operational.

I have posed this issue to my Cloud Provider, murena, and at time of writing this I have not checked to see if there is a response. They use Nextcloud software. I suspect they use Linux servers as their founder is Gaël Duval creator of Mandrake Linux.

Whenever I see such type thumbnails on videos, I ignore the video.

I'm not sure if this info was released here on the Zorin forums but the rating is:

The vulnerability has a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH.

Thanks for the insights @swarfendor437 . Just like @Texas22Step I recently fled windows for Zorin and was a bit afraid of this.

I can also confirm that the software updater is very unreliable right now. Not only does loading take a lot of time, but checking & un-checking does make the application hang.

Reading that it's not that big of an attack vector for home users is a relief

If you look at the full description it states "LOCAL". Not including all the details paints a different picture.

10000153491116×2484 158 KB

As someone else has pointed out be wary of Social media and clicking on things you shouldn't or open dubious links in e-mails or attachments.

Where there could be a risk is Cloud Storage.

Here is an information about the kmod package from ubuntu:

https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

Is there a test script that we can run to check whether or not our system is affected by CopyFail?

There is also another, even more serious vulnerability called DirtyFrag. Is there a test script to test if we are currently vulnerable to that as well?

you can walk along:

1. install pro-client if not done: sudo apt install ubuntu-pro-client
2. copy fail check: sudo pro fix CVE-2026-31431
3. pack2theroot check: sudo pro fix CVE-2026-41651
4. dirtyfrag check: sudo pro fix CVE-2026-43500 and sudo pro fix CVE-2026-43284

to run the check you net connection to web. If you connection fails, try to establish vpn to uk. this is doing fine for all kernel versions and zorin 17.3 as well.

EDIT
Just for clarification... The above workaround can be used without going for pro subscription, the machine you are checking has not to be attached to an Ubuntu Pro subscription

Have you looked at this thread: Vulnerability ''Dirty Frag'' Workaround Info

So I am confused by this advice about ubuntu-pro-client.

First of all, I am able to install ubuntu-pro-client from the command line. However, I am not able to see it in the software center. What am I unable to see details about this program in the Software center, and what am I doing wrong?

Second, when I run pro fix CVE-2026-31431, I get the following output.

~$ pro fix CVE-2026-31431
CVE-2026-31431: kmod update
 - https://ubuntu.com/security/CVE-2026-31431

3 affected source packages are installed: linux, linux-hwe-6.14, linux-hwe-6.17
(1/3) linux-hwe-6.14:
Sorry, no fix is available.
(2/3, 3/3) linux, linux-hwe-6.17:
A fix is coming soon. Try again tomorrow.

3 packages are still affected: linux, linux-hwe-6.14, linux-hwe-6.17
✘ CVE-2026-31431 is not resolved.

So it says that there is no fix and that the CVE is not resolved. But I have already done the kmod updates to fix the issue. Why is it saying that the CVE is not resolved?

Third, when I run pro fix CVE-2026-43500, I get the following output.

~$ pro fix CVE-2026-43500
CVE-2026-43500: 
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true.  An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true.  This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO).  The OOM/trace handling already in place is reused.
 - https://ubuntu.com/security/CVE-2026-43500

3 affected source packages are installed: linux, linux-hwe-6.14, linux-hwe-6.17
(1/3) linux-hwe-6.14:
Sorry, no fix is available.
(2/3, 3/3) linux, linux-hwe-6.17:
Ubuntu security engineers are investigating this issue.

3 packages are still affected: linux, linux-hwe-6.14, linux-hwe-6.17
✘ CVE-2026-43500 is not resolved.

Here, I am confused. It says "In the Linux kernel, the following vulnerability has been resolved." But then it says that no fix is available for my packages. Has the vulnerability been patched, or has it not been patched?

Fourth, when I run pro fix CVE-2026-43284, I get the following output.

~$ pro fix CVE-2026-43284
CVE-2026-43284: 
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
 - https://ubuntu.com/security/CVE-2026-43284

3 affected source packages are installed: linux, linux-hwe-6.14, linux-hwe-6.17
(1/3) linux-hwe-6.14:
Sorry, no fix is available.
(2/3, 3/3) linux, linux-hwe-6.17:
Ubuntu security engineers are investigating this issue.

3 packages are still affected: linux, linux-hwe-6.14, linux-hwe-6.17
✘ CVE-2026-43284 is not resolved.

Here, I am confused. It says "In the Linux kernel, the following vulnerability has been resolved." But then it says that no fix is available for my packages. Has the vulnerability been patched, or has it not been patched?

Fifth, when I upgrade my system with sudo apt upgrade, I get the following output

Get more security updates through Ubuntu Pro with 'esm-apps' enabled:
  vlc-plugin-qt libvlc5 libmagickcore-6.q16-7t64 libzvbi-common vlc-data
  libqt5xml5t64 libvlccore9 qt5-gtk-platformtheme vlc imagemagick
  libqt5sql5t64 libavcodec-extra vlc-bin libmagickcore-6.q16-7-extra
  libqt5test5t64 vlc-l10n libcjson1 libavdevice60 ffmpeg libopenexr-3-1-30
  libpostproc57 python3-wheel vlc-plugin-samba buildah libqt5gui5t64
  libmbedcrypto7t64 libgstreamer-plugins-bad1.0-0 libzvbi0t64
  libqt5printsupport5t64 libavcodec-extra60 vlc-plugin-notify
  libqt5concurrent5t64 libavutil58 libqt5widgets5t64 imagemagick-6.q16
  libswscale7 podman libcryptx-perl libqt5dbus5t64 vlc-plugin-access-extra
  libqt5network5t64 vlc-plugin-skins2 vlc-plugin-video-splitter
  gir1.2-gst-plugins-bad-1.0 python3-filelock libswresample4
  imagemagick-6-common vlc-plugin-video-output libqt5sql5-sqlite libbotan-2-19
  7zip libavformat60 libvlc-bin libqt5core5t64 vlc-plugin-base
  vlc-plugin-visualization libavfilter9 libmagickwand-6.q16-7t64
Learn more about Ubuntu Pro at https://ubuntu.com/pro

Here I am very confused. I thought that since I was on ZorinOS, based on Ubuntu LTS, that I would receive security updates for my packages. I thought Canonical was pushing out security updates for the packages they maintain onto their normal repositories. Instead, Canonical is pushing out security updates to a second repository that I have to sign up for and enable?

Am I not safe if I choose to not sign up for a free subscription to Ubuntu Pro and use the normal repositories instead? What specific security vulnerabilities do these packages have in the main repositories, and what exactly is fixed in the esm-apps repositories?

Are there actually security vulnerabilities in my current packages right now, or would this message display for me regardless of if my current packages are fully updated, to advertise that Ubuntu Pro has alternate repositories for these packages?

Honestly, this upsets me. I think I should switch to Debian or a Debian-based distribution. I presume that Debian pushes out their security updates to their repositories, right?

to zabadabadoo

Yes, I followed the instructions. Thank you.