April 30Apr 30 Hi all,Is Unraid safe?https://copy.fail/#copy-fail"Most Linux LPEs need a race window or a kernel-specific offset.Copy Fail is a straight-line logic flaw — it needs neither.The same 732-byte Python script roots every Linux distribution shipped since 2017."CVE-2026-31431Is there a patch?Seems ominous.Thanks!Francesco. Edited April 30Apr 30 by francescoragazzi
April 30Apr 30 From the website "Copy Fail requires only an unprivileged local user account"unRAID does not have unprivileged local user accounts. Edited April 30Apr 30 by primeval_god
April 30Apr 30 That answer is not convincing:There are reports that this also affects Dockers, so it seems HIGHLY relevant.I understand adding the below “somewhere” (not sure what file) may mititgate for the time being.Any practical advice appreciated:printf 'install algif_aead /bin/false\n' | sudo tee /etc/modprobe.d/disable-algif-aead.confsudo rmmod algif_aead 2>/dev/null || true
April 30Apr 30 25 minutes ago, daNick73 said:There are reports that this also affects DockersCan you post a link to that? This is not a docker escape issue, AFAIK.
April 30Apr 30 Examples below, happy to stand corrected if I missed what “containerized workload” means in this context Penligent Security Blog – AI-Driven Hacking Tutorials, Exploit PoCs & Cybersecurity ResearchCopy Fail CVE-2026-31431, A Linux Kernel Bug That Turns P...Copy Fail is CVE-2026-31431, a Linux kernel authencesn flaw that turns AF_ALG and splice into a page-cache write primitive. Learn the root cause, real risk, detection limits, and practical mitigationXintCopy Fail — 732 Bytes to RootCVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
April 30Apr 30 1 hour ago, daNick73 said:Examples below, happy to stand corrected if I missed what “containerized workload” means in this contextWhat matters is that an attacker would need to already be able to execute arbitrary code in your container. If that happens you already have major issues and they probably deleted all the data they could reach from the container without needing this. By using this if an attacker could also reach the host as an unpriviledged user they could become root - but since if you reach the host in unraid you're already root it basically doesn't change anything.
May 1May 1 11 hours ago, Kilrah said:What matters is that an attacker would need to already be able to execute arbitrary code in your container. If that happens you already have major issues and they probably deleted all the data they could reach from the container without needing this.By using this if an attacker could also reach the host as an unpriviledged user they could become root - but since if you reach the host in unraid you're already root it basically doesn't change anything.Can you elaborate?My understanding is that dockers are generally isolated, meaning a docker is not supposed to interact with the whole system or other dockers,except where permission is granted.So, in principle, I don’t have to trust the docker not to mess with other parts. Dockers stay in their sandbox.To me, that was part of the beauty of a docker.Are you saying, that independent of this issue, docker never provides any type of protection of this nature?Thx Edited May 1May 1 by daNick73
May 1May 1 4 hours ago, daNick73 said:Are you saying, that independent of this issue, docker never provides any type of protection of this nature?It not no protection, but its not nearly as secure as some would hope. Particularly in unRAID (which is not designed to be an enterprise container host) where many of the container hardening features like rootless containers, container secrets, seccomp profiles are unused, and many standard linux security features on the host (like non-root users) are also unused.
May 1May 1 5 hours ago, daNick73 said:Can you elaborate?My understanding is that dockers are generally isolated, meaning a docker is not supposed to interact with the whole system or other dockers,except where permission is granted.So, in principle, I don’t have to trust the docker not to mess with other parts. Dockers stay in their sandbox.I never said they would mess with other parts, but with what is intentionally accessible to the vulnerable container. Edited May 1May 1 by Kilrah
May 4May 4 Community Expert Solution Please see our post in our public CVE reports board here for updates on this: https://product.unraid.net/p/copy-fail-cve-2026-31431?b=cve-reports
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.