## https://sploitus.com/exploit?id=71E0F6C5-5DF9-5FC9-96BB-4F37959050D0
# CVE-2026-31431 Ansible Remediation
This playbook remediates CVE-2026-31431, also known as Copy Fail, on Linux instances in OCI.
CVE-2026-31431 is a local privilege escalation issue in the Linux kernel `algif_aead` implementation used by the AF_ALG userspace crypto API. This playbook applies the main remediation path: install an updated vendor kernel package and reboot the instance so it runs the fixed kernel.
References:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- Copy Fail disclosure: https://copy.fail/
## What the playbook does
The first play runs locally in OCI Cloud Shell or another machine with the OCI CLI configured. It resolves the hard-coded OCI instance OCIDs into reachable Ansible hosts by reading each instance, finding its primary VNIC, and selecting either the private or public IP address based on `prefer_public_ip`.
The second play patches the resolved Linux hosts in parallel, subject to Ansible's configured `forks` limit:
- Confirms the target is Linux.
- Captures the currently running kernel with `uname -r`.
- Installs updated kernel packages using the target distribution's package manager:
- Oracle Linux, RHEL, Fedora, Amazon Linux: `dnf` or `yum` update for `kernel*` and `kernel-uek*`.
- Ubuntu and Debian: `apt-get --only-upgrade` for installed Linux kernel packages.
- SUSE: `zypper patch --category security`.
- Reboots the host so it actually runs the updated kernel.
- Captures the post-reboot kernel.
- Verifies the running kernel maps to an installed kernel package.
- Fails the run if distro package tools still report pending kernel updates.
- Checks CVE-specific repository advisory or patch metadata where the distro exposes it.
- Collects CVE evidence from installed kernel package changelogs where available.
- Prints installed kernel package information for RPM, Debian-family, and SUSE systems.
- Prints one total end-of-run summary across all targets.
- Fails the playbook after printing the total summary if any host did not pass verification.
## Verification
After reboot, the playbook uses the target distribution's package and repository tools to validate the remediation:
- RPM systems: maps the running kernel with `rpm`, checks pending kernel updates with `dnf check-update` or `yum check-update`, checks CVE advisory metadata with `updateinfo`, and searches the installed kernel package changelog.
- Ubuntu and Debian: maps the running kernel with `dpkg-query`, checks pending kernel updates with an `apt-get` simulation, and searches the installed kernel package changelog.
- SUSE: maps the running kernel with `rpm`, checks pending kernel updates with `zypper list-updates`, checks CVE patch metadata with `zypper list-patches --cve`, and searches the installed kernel package changelog.
The hard pass/fail checks are that the host is running a package-managed kernel after reboot and that no kernel package updates remain pending from the configured repositories. CVE-specific advisory and changelog output is collected when the distro publishes that metadata.
At the end of the run, a localhost summary play reports:
- total targets processed
- number of hosts that passed the CVE check
- number of hosts that failed or had incomplete verification
- previous kernel
- installed/running kernel after reboot
- package that owns the running kernel
- package-managed kernel check result
- pending kernel update check result
- CVE advisory or patch metadata check result
The default output is a compact per-host summary. To also print the full raw verification data, add:
```bash
-e show_detailed_cve_evidence=true
```
## Run
```bash
ansible-playbook -i localhost, patch_cve_2026_31431.yml \
-e oci_region=us-ashburn-1 \
-e ansible_user=opc \
-e ansible_ssh_private_key_file=/path/to/private_key \
-e prefer_public_ip=false
```
Use `prefer_public_ip=true` when Cloud Shell or your Ansible control host must reach the instances through public IP addresses. Use `prefer_public_ip=false` when the control host has private network reachability.
The playbook disables strict SSH host key checking for the dynamically discovered targets so it can run non-interactively against newly resolved instance IPs.
## Expected result
A successful run should end with `CVE-2026-31431 verification passed for all targets.` The total summary prints one line per field, grouped under `Host: ...`, including the previous kernel, installed kernel after reboot, running kernel package such as `kernel-uek-core-...`, and `CVE check: PASS`. If verification fails because kernel updates are still available, confirm the host can reach the correct vendor security repositories and rerun the playbook.