• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Input "Copy Fail" vulnerability: Update your kernel! Do not trust other solutions!

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
Regarding the latest disastrous Linux vulnerability, CVE-2026-31431, multiple sources recommend mitigating the issue by disabling the algif_aead module, e.g. by running
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf && rmmod algif_aead 2>/dev/null
Even the reknown Heise publishing company is missing an important point in „Copy Fail“: Linux-root in allen großen Distributionen mit 732 Byte Python

In many distributions, algif_aead is not a module, but built into your kernel. This makes the above command useless. For example all Hetzner Linux images have it built-in, but also images by many other vendors. To test, whether the module is available from the kernel, run
grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)
If the result ends with "=y", algif_aead is built-in.

You absolutely must update your Linux kernel to the latest version to mitigate the issue. It is not sufficient to disable the "module", because actually, on many systems it's not a module, but built into the kernel. This also requires a reboot after updating. Do not choose the seemingly easier paths. they won't help.
 
That's correct, but in those cases, you can disable it at startup:
grubby --update-kernel=$(grubby --default-kernel) --args="initcall_blacklist=algif_aead_init"
After restarting, verify that it's disabled:
cat /proc/cmdline
And try running the exploit:
python3 -c 'import socket; s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0); s.bind(("aead","authencesn(hmac(sha256),cbc(aes))")); print("algif_aead successfully loaded, mitigation not effective")'
This completely mitigates the vulnerability. However, the best option is always to update the kernel.
 

Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing

The AnnouncementA week after Copy Fail, researcher Hyunwoo Kim disclosed a second Linux kernel flaw in the same broad area — IPsec ESP and rxrpc — that they have named Dirty Frag. The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged...
almalinux.org almalinux.org

New vulnerability (easy to fix throught modprobe).

Only be sure that IPsec is no in use or instaled in the system. Usually not in PLESK servers.
 
Fede Marsell said:

Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing

The AnnouncementA week after Copy Fail, researcher Hyunwoo Kim disclosed a second Linux kernel flaw in the same broad area — IPsec ESP and rxrpc — that they have named Dirty Frag. The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged...
almalinux.org almalinux.org

New vulnerability (easy to fix throught modprobe).

Only be sure that IPsec is no in use or instaled in the system. Usually not in PLESK servers.
Click to expand...
Thanks a lot for bringing this up.
Nevertheless, I suggest opening a new topic for this and similar entries.
 
Andreas Mause said:
On my various Plesk servers, the module is only marked as loadable (=m). This should prevent anything "worse" from happening for now.
Click to expand...
I was told by support at the provider where I have some cloud VPS's that if the module still exists on the server, even if not loaded, "an unprivileged user can execute code that will trigger the auto-loading." If you run: # modinfo algif_aead | head and see output like this, you're still at risk:
filename: /lib/modules/7.0.0-15-generic/kernel/crypto/algif_aead.ko.zst
description: AEAD kernel crypto API user space interface
author: Stephan Mueller <[email protected]>
license: GPL
srcversion: D42A6D068AA00FABF7D163E
depends: af_alg
intree: Y
name: algif_aead
retpoline: Y
vermagic: 7.0.0-15-generic SMP preempt mod_unload modversions
 
You must log in or register to reply here.

Similar threads

C
Question VM with Plesk and Ubuntu: Ubuntu Upgrade 22.04-LTS to 24.04-LTS fails
Replies
3
Views
12K
chris-taylor
C
P
Issue Can kernel be updated in Centos without breaking Plesk.
Replies
2
Views
2K
Bitpalast
Bitpalast
R
Resolved Plesk fails to update - PHP conflicts?
Replies
7
Views
10K
retro1
R
L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
6K
Lukas Hertig
L
Back
Top