CVE-2026-31431 (CopyFail), a make-me-root Linux kernel LPE introduced in 4.14 (2017), was fixed in 6.18.22/6.19.12/7.0 but never disclosed to downstream distributions.
Key Takeaways
Vulnerability introduced with commit 72548b093ee3 in kernel 4.14; fixed in 6.18.22, 6.19.12, and 7.0 with three separate commits.
Longterm kernels 6.12, 6.6, 6.1, 5.15, 5.10 remain unpatched; backport does not apply cleanly due to API changes.
Linux kernel security process does not require notifying the linux-distros ML; no heads-up to distros unless the reporter initiates it.
Gentoo’s Sam James attached a workaround patch disabling the authencesn module as a stopgap (initcall_blacklist is an alternative runtime method).
All kernels since 2017 are affected; shared hosting and any unpatched longterm kernel deployment is exposed.
Hacker News Comment Review
Core dispute: whether the kernel security team or the vulnerability reporter bears responsibility for notifying downstream distributions; current policy places it on the reporter, which commenters argue assumes unrealistic familiarity with the ecosystem.
Practical gap: longterm stable kernels used by most distros have no fix and no clean backport path, leaving a wide attack surface open after public disclosure.
Workaround consensus: disabling the authencesn crypto module via the attached patch or initcall_blacklist kernel parameter is the immediate mitigation.
Notable Comments
@semiquaver: argues placing distro-notification burden on reporters has no principled limit and is structurally broken for any large downstream ecosystem.
@uberduper: flags initcall_blacklist as a no-recompile runtime workaround.
