For Linux kernel vulnerabilities, there is no heads-up to distributions
A critical Linux kernel vulnerability, CVE-2026-31431 (CopyFail), allowing local privilege escalation has been identified and patched in recent kernel versions. The fix was not proactively communicated to Linux distributions, as there is no standard process for such notifications unless the reporter opts in. Older long-term kernel versions remain unpatched due to backporting challenges.
- ▪CVE-2026-31431 is a severe local privilege escalation vulnerability in the Linux kernel introduced in version 4.14.
- ▪The vulnerability was fixed in kernel versions 6.18.22, 6.19.12, and 7.0, but not yet backported to older long-term support versions.
- ▪There is no automatic heads-up to Linux distributions about kernel vulnerabilities unless the reporter uses the linux-distros mailing list.
- ▪A workaround patch was proposed to disable the 'authencesn' module to mitigate the issue.
- ▪The vulnerability has existed since 2017, affecting nearly a decade of kernel releases.
Opening excerpt (first ~120 words) tap to expand
Products Openwall GNU/*/Linux server OS Linux Kernel Runtime Guard John the Ripper password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists for password cracking passwdqc policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt KDF & password hashing yespower Proof-of-Work (PoW) crypt_blowfish password hashing phpass ditto in PHP tcb better password shadowing Pluggable Authentication Modules scanlogd port scan detector popa3d tiny POP3 daemon blists web interface to mailing lists msulogin single user mode login php_mt_seed mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Openwall.
Discussion
0 commentsMore from Openwall
