Proxmox Virtual Environment - Security Advisories

Status
Not open for further replies.

Subject: PSA-2026-00018-1: "copy.fail" local privilege escalation via AF_ALG socket​


Advisory date: 2026-04-30

Packages: proxmox-kernel-6.8, proxmox-kernel-6.14, proxmox-kernel-6.17

Details:

An issue published under the name "copy.fail" was found in the Linux kernel's handling of AF_ALG socket messages. An unprivileged local user could abuse this issue to write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root and potentially escape sandboxing mechanisms such as containers.

Mitigations:

Fixed kernel packages are available for the affected kernel series, see below for details.


To prevent exploitation of the issue prior to rebooting into a fixed kernel, disallowing loading of the affected module is recommended.

Check if the module is loaded:

# lsmod | grep algif_aead

If this command displays output and you are not aware of benign usage of AF_ALG sockets for AEAD, it is possible that an attacker already tried to exploit the issue on this system. The journal might contain information about when the af_alg module was loaded: "kernel: NET: Registered PF_ALG protocol family".

Disable loading of the module:

Code: 
# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# update-initramfs -u -k all

Remove any already loaded instance of the module:

# rmmod algif_aead


An updated pve-container package that uses seccomp filtering to prevent exploits from within containers is available. Containers started after the fixed pve-container version has been installed cannot access AF_ALG sockets anymore.

If you need AF_ALG support in a specific container, override the seccomp filter after rebooting into a fixed kernel by creating a custom seccomp filter file based on /var/lib/lxc/$vmid/rules.seccomp and configure it via the lxc.seccomp.profile option. The container needs to be started once to generate the rules.seccomp file.


Not affected:
- proxmox-kernel-7.0.0-*-pve (PVE 9.x, PBS 4.x, PDM 1.x, PMG 9.x)

Fixed:
- proxmox-kernel-6.17.13-6-pve or later (PVE 9.x, PBS 4.x, PDM 1.x, PMG 9.x)
- proxmox-kernel-6.14.11-7-pve or later (PVE 9.x, PBS 4.x, PDM 1.x, PMG 9.x)
- proxmox-kernel-6.14.11-7-bpo12-pve or later (PVE 8.x, PBS 3.x, PMG 8.x)
- proxmox-kernel-6.8.12-22-pve or later (PVE 8.x, PBS 3.x, PMG 8.x)
- pve-container >= 6.1.5 (PVE 9.x)
- pve-container >= 5.3.5 (PVE 8.x)

References:
- CVE-2026-31431
- https://copy.fail
- https://xint.io/blog/copy-fail-linux-distributions
 
Status
Not open for further replies.
Top Bottom
Back