Addressing copy.fail in SUSE Virtualization

Copy Fail (tracked as CVE-2026-31431) is a critical vulnerability in
the Linux kernel that allows a local non-root user to gain full root
access to the system.

It is considered extremely dangerous because it is a pure logic error
– unlike other known holes like Dirty Pipe or Dirty COW, it does not
require complex race conditions and works with 100% reliability via a
tiny script.

Affected Versions

• All SUSE Virtualization Versions

Impact

An attacker can modify the cached memory contents of critical system
tools (such as /usr/bin/su) or configuration files (such as /etc/passwd)
directly in memory. This allows for the “injection” of malicious code
that runs with the highest privileges.

The vulnerability can be exploited stealthy. As shown by the exploit
the change can only occurs in RAM (page cache), the file on disk would
remain unchanged. Integrity checking tools (checksums) will not detect
anything, and after a reboot, any traces of an exploit working
disappear.

Workaround

Create /etc/modprobe.d/10-cvs-fix.conf to remediate.

blacklist algif_aead
install algif_aead /bin/false

Users need to create the following CloudInit CRD to
blacklist the algif_aead kernel module across reboots.

apiVersion: node.harvesterhci.io/v1beta1
kind: CloudInit
metadata:
  name: copy-fail-workaround
spec:
  matchSelector:
    harvesterhci.io/managed: "true"
  filename: 99-copy-fail-workaround
  contents: |
    stages:
        initramfs:
        - name: "Blacklist modules"
          files:
            - path: "/etc/modprobe.d/10-cvs-fix.conf"
              content: |
                blacklist algif_aead
                install algif_aead /bin/false

Resolution

SUSE is currently working on preparing the fixes for each of the
affected kernel versions. Updates will be shortly made available and
published to our customers.

CVE URL: SUSE
CVE-2026-31431 page