Share
## https://sploitus.com/exploit?id=71E0F6C5-5DF9-5FC9-96BB-4F37959050D0
# CVE-2026-31431 Ansible Remediation

This playbook remediates CVE-2026-31431, also known as Copy Fail, on Linux instances in OCI.

CVE-2026-31431 is a local privilege escalation issue in the Linux kernel `algif_aead` implementation used by the AF_ALG userspace crypto API. This playbook applies the main remediation path: install an updated vendor kernel package and reboot the instance so it runs the fixed kernel.

References:

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- Copy Fail disclosure: https://copy.fail/

## What the playbook does

The first play runs locally in OCI Cloud Shell or another machine with the OCI CLI configured. It resolves the hard-coded OCI instance OCIDs into reachable Ansible hosts by reading each instance, finding its primary VNIC, and selecting either the private or public IP address based on `prefer_public_ip`.

The second play patches the resolved Linux hosts in parallel, subject to Ansible's configured `forks` limit:

- Confirms the target is Linux.
- Captures the currently running kernel with `uname -r`.
- Installs updated kernel packages using the target distribution's package manager:
  - Oracle Linux, RHEL, Fedora, Amazon Linux: `dnf` or `yum` update for `kernel*` and `kernel-uek*`.
  - Ubuntu and Debian: `apt-get --only-upgrade` for installed Linux kernel packages.
  - SUSE: `zypper patch --category security`.
- Reboots the host so it actually runs the updated kernel.
- Captures the post-reboot kernel.
- Verifies the running kernel maps to an installed kernel package.
- Fails the run if distro package tools still report pending kernel updates.
- Checks CVE-specific repository advisory or patch metadata where the distro exposes it.
- Collects CVE evidence from installed kernel package changelogs where available.
- Prints installed kernel package information for RPM, Debian-family, and SUSE systems.
- Prints one total end-of-run summary across all targets.
- Fails the playbook after printing the total summary if any host did not pass verification.

## Verification

After reboot, the playbook uses the target distribution's package and repository tools to validate the remediation:

- RPM systems: maps the running kernel with `rpm`, checks pending kernel updates with `dnf check-update` or `yum check-update`, checks CVE advisory metadata with `updateinfo`, and searches the installed kernel package changelog.
- Ubuntu and Debian: maps the running kernel with `dpkg-query`, checks pending kernel updates with an `apt-get` simulation, and searches the installed kernel package changelog.
- SUSE: maps the running kernel with `rpm`, checks pending kernel updates with `zypper list-updates`, checks CVE patch metadata with `zypper list-patches --cve`, and searches the installed kernel package changelog.

The hard pass/fail checks are that the host is running a package-managed kernel after reboot and that no kernel package updates remain pending from the configured repositories. CVE-specific advisory and changelog output is collected when the distro publishes that metadata.

At the end of the run, a localhost summary play reports:

- total targets processed
- number of hosts that passed the CVE check
- number of hosts that failed or had incomplete verification
- previous kernel
- installed/running kernel after reboot
- package that owns the running kernel
- package-managed kernel check result
- pending kernel update check result
- CVE advisory or patch metadata check result

The default output is a compact per-host summary. To also print the full raw verification data, add:

```bash
-e show_detailed_cve_evidence=true
```

## Run

```bash
ansible-playbook -i localhost, patch_cve_2026_31431.yml \
  -e oci_region=us-ashburn-1 \
  -e ansible_user=opc \
  -e ansible_ssh_private_key_file=/path/to/private_key \
  -e prefer_public_ip=false
```

Use `prefer_public_ip=true` when Cloud Shell or your Ansible control host must reach the instances through public IP addresses. Use `prefer_public_ip=false` when the control host has private network reachability.

The playbook disables strict SSH host key checking for the dynamically discovered targets so it can run non-interactively against newly resolved instance IPs.

## Expected result

A successful run should end with `CVE-2026-31431 verification passed for all targets.` The total summary prints one line per field, grouped under `Host: ...`, including the previous kernel, installed kernel after reboot, running kernel package such as `kernel-uek-core-...`, and `CVE check: PASS`. If verification fails because kernel updates are still available, confirm the host can reach the correct vendor security repositories and rerun the playbook.