NewsCybersecurity6 min read
Two Critical Bugs Are Eating Self-Hosted Servers This Week — Patch Both Today
CopyFail (CVE-2026-31431) gives any local user root on every Linux distro shipped since 2017. A cPanel auth bypass (CVE-2026-41940) has been actively exploited since February. Here's what to patch, in what order, and why.
Omer YLD
Founder & Editor-in-Chief
6 min read
Photo: Technerdo
Two unrelated bugs hit the self-hosting world in the same 48 hours, and both are already being exploited in the wild. CopyFail — tracked as CVE-2026-31431 — is a Linux kernel local privilege escalation that turns any unprivileged shell into root in seconds on essentially every mainstream distribution shipped since 2017. The other, CVE-2026-41940, is a remote authentication bypass in cPanel and WHM that's been quietly abused since late February. If you run a VPS, a homelab, or a hosted control panel, you have homework today.
What CopyFail actually does
CopyFail is a logic bug in the Linux kernel's AF_ALG userspace crypto interface — specifically the algif_aead template that implements authenticated encryption sockets. A 2017 optimisation introduced a path where an unprivileged process can trigger a deterministic, controlled four-byte write into the page cache of any file the kernel will let it read. That's enough to flip a setuid binary into something the attacker controls and walk straight to root.
Researchers at Theori's Xint disclosed the bug on 29 April 2026. Their technical write-up describes a working proof of concept — a 732-byte Python script — that reliably escalates from any local shell to UID 0 on stock kernels. Help Net Security classes the bug as "high-severity" — high but not critical, because the attacker needs local code execution first. That bar is lower than it sounds.
The vulnerability matters most in three places:
- Multi-tenant hosts — any VPS, shared CI runner, or Kubernetes node where untrusted code already runs as a non-root user. CopyFail collapses container-to-host and tenant-to-tenant boundaries.
- Web servers with shells — if an attacker pops a PHP RCE or a leaked SSH key, CopyFail upgrades that foothold to full root in under a minute.
- Developer laptops — if any third-party process on your machine is already pwned (a malicious npm postinstall, a CI agent, a sandboxed browser tab using AF_ALG), the same exploit gets root.
The mainline fix is commit a664bf3d603d, which simply reverts the 2017 optimisation. It landed on 1 April 2026 — well before public disclosure — but most distro stable kernels did not pick it up until last week.
What the cPanel bug does
cPanel is the control-panel software running on tens of millions of websites worldwide. CVE-2026-41940 is a remote authentication bypass: an unauthenticated attacker can reach the admin login screen and walk past it, gaining full WHM control over every site on the host. cPanel's own advisory says the bug "affects all supported versions of the software" and that customers should confirm they have received patches.
The patch shipped on 28 April 2026. The unsettling part is the timeline: TechCrunch's Zack Whittaker spoke with one hosting provider that found exploitation attempts in their logs dating to 23 February 2026 — more than two months before disclosure. If you ran an unpatched cPanel host any time this spring, you have to assume someone tried.
This one is more dangerous than CopyFail in absolute terms — it is remote, unauthenticated, and grants control of every customer site on the box. But fewer Technerdo readers run cPanel directly; if you do, this is your number-one priority.
Patch order for self-hosters
There is a right sequence here. Do this in order on any box you control today.
Step01
If you run cPanel or WHM, update first. cPanel's upcp (Update cPanel) tool pulls the patch automatically on hosts that have nightly updates enabled — but check, do not assume. Run /scripts/upcp --force and confirm the build version against cPanel's CVE advisory. After patching, rotate every WHM admin password and audit access logs back to mid-February for unfamiliar logins.
Step02
Patch your Linux kernel. Distro fixes are rolling out now. AlmaLinux published a Copy Fail patch ready for testing on 1 May; Ubuntu, Debian, Fedora, and SUSE backports all reference the same upstream commit. Run apt list --upgradable | grep linux-image (or the equivalent), install the new kernel, and reboot. Live-patching services like Ubuntu Livepatch and KernelCare can apply CopyFail without a reboot — confirm the patch ID is present.
Step03
Mitigate AF_ALG if you can't reboot immediately. Most servers don't actually need the userspace crypto socket interface. Block it with echo 'install algif_aead /bin/true' | sudo tee /etc/modprobe.d/disable-algif.conf and unload the module. This is a stopgap, not a fix — the real solution is the kernel update.
Step04
Audit container hosts. Anywhere you run untrusted tenant workloads — a Kubernetes node, a CI runner, a multi-user dev box — assume CopyFail-shaped exploitation is happening if your kernel is unpatched. Check dmesg for unusual algif-related messages and look for setuid binaries with recent mtimes (find / -perm /4000 -newer /etc/shadow -type f 2>/dev/null).
Why this matters for the self-host audience
The grim joke about self-hosting is that the people who do it are also the ones who don't get a security team's nightly patch run. A homelab Proxmox box, a $5 VPS running Bitwarden, a single-tenant Mastodon — they all live one CopyFail away from a hostile root if anything else on the host is compromised. We've made the case before that self-hosting is still worth it in 2026, but the cost is a 30-minute patching window every time a kernel CVE lands. This is one of those weeks.
The cPanel bug is a different shape of problem — it lands on the side of the industry that mostly isn't self-hosting. Shared hosts, reseller accounts, the long tail of small-business websites. If you've moved off cPanel deliberately (most Technerdo readers have), the lesson here is the second-order one: any site you depend on that runs cPanel is now in a worse place than it was last week.
What to watch next
Three things will tell us how bad this gets.
- CopyFail exploit packaging. A cross-platform C port is already on GitHub. Expect Metasploit and commodity rootkits to ship modules within days.
- cPanel fallout. Hosting providers are still pulling logs. If a major shared host announces breach data in the next two weeks, the exploitation window was wider than 23 February to 28 April.
- Distro coverage. Watch your specific distro's tracker. As of 1 May, Debian stable, RHEL 9, and Alma 9 patches are out; older long-term-support kernels are lagging.
For broader context on the shape of the threat landscape this year, our State of Cybersecurity 2026 piece holds up — supply-chain bugs and long-dwelling kernel CVEs were the headline. CopyFail is exactly that pattern.
If you patch one thing today, patch the box you forgot you owned.
— ∎ —
Was this piece worth your five minutes?
Join the conversation — sign in to leave a comment and engage with other readers.
Loading comments...