Critical privilege escalation and denial‑of‑service vulnerabilities (CVE-2026-31431 / CVE-2026-43033) affect Debian 11 Bullseye. This guide provides detection commands, a fully automated fix script, and temporary mitigations. Protect your Linux systems now. | Update your kernel to 5.10.251-3.
This Linux kernel security update affects Debian 11 Bullseye users. Below, you’ll find detection commands, fully automated‑fix scripts, and workarounds—all designed to remain useful for many months, regardless of when the original bulletin was published.
On May 2, 2026, Debian’s LTS team released DLA-4560-1 to patch two serious vulnerabilities affecting the Linux kernel in Debian 11 Bullseye. These flaws can lead to privilege escalation or denial of service (DoS) if left unaddressed.
If you run Debian 11 Bullseye with kernel 5.10.223-1 or 5.10.251-1, your system is vulnerable. The fixed version is 5.10.251-3. The good news: the fix requires only a standard package update, and the steps below will secure your system even if you’re reading this guide months after the bulletin was released.
How to Check If You Are Vulnerable (Debian/Ubuntu Commands)
1. Check your current kernel version
uname -r
If the output is older than 5.10.251-3, your system is likely vulnerable — especially if it matches 5.10.223-1 or 5.10.251-1, which are known vulnerable versions.
2. Verify the installed kernel package version
apt policy linux-image-amd64 # adjust arch if needed # Or for a more detailed check: dpkg -l | grep linux-image
3. Check if the vulnerable module (algif_aead) is loaded
This module is required for the CVE-2026-31431 exploit:
lsmod | grep algif_aead
If this command shows any output, the vulnerable module is loaded. Note: Even if the module is not loaded, the system may still be vulnerable if the kernel version is affected.
4. Use Debian’s security tracker (for detailed CVE lookup
# Install debsecan if needed sudo apt install debsecan # Check for known vulnerabilities debsecan --suite bullseye | grep -E "CVE-2026-31431|CVE-2026-43033"
Or visit the Debian Security Tracker page for each CVE:
- CVE-2026-31431 status – vulnerable versions: 5.10.223-1, 5.10.251-1; fixed in 5.10.251-3
- CVE-2026-43033 status – vulnerable until 5.10.251-3
If your kernel version matches a vulnerable entry, proceed immediately to the next section.
Automation Script to Apply the Fix (Debian 11/Ubuntu 20.04+)
Save this script as fix-copyfail.sh and run it as root or with sudo. It automatically checks your distribution, updates the kernel, and reboots if needed (place a small flag file to avoid infinite reboot loops).
#!/bin/bash # fix-copyfail.sh - Secure Debian/Ubuntu kernel update for CVE-2026-31431 / CVE-2026-43033 # Works on Debian 11/12 and Ubuntu 20.04/22.04/24.04. set -euo pipefail LOGFILE="/var/log/kernel-update-fix.log" FLAGFILE="/var/lib/kernel-update-fix.done" log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOGFILE" } # Check if already fixed if [ -f "$FLAGFILE" ]; then log "Kernel update already applied (flagfile exists). Exiting." exit 0 fi log "Starting kernel security update for CVE-2026-31431 / CVE-2026-43033." # Detect distribution if [ -f /etc/debian_version ]; then log "Debian-based system detected." # Update package lists and upgrade kernel and related packages apt-get update -y apt-get install -y --only-upgrade linux-image-amd64 linux-headers-amd64 elif [ -f /etc/lsb-release ] && grep -qi ubuntu /etc/lsb-release; then log "Ubuntu system detected." apt-get update -y # Update all kernel packages apt-get install -y --only-upgrade linux-image-generic linux-headers-generic else log "Unsupported distribution. Exiting." exit 1 fi # Check if the new kernel version is installed (>= 5.10.251-3 for Debian 11) CURRENT_KERNEL=$(uname -r) log "Current kernel: $CURRENT_KERNEL" # For Debian 11, we expect at least 5.10.251-3 as the fixed version if [[ "$CURRENT_KERNEL" =~ ^5\.10\. ]] && dpkg --compare-versions "$CURRENT_KERNEL" ge "5.10.251-3"; then log "Kernel version $CURRENT_KERNEL meets or exceeds the fixed version. No reboot required." touch "$FLAGFILE" exit 0 fi # Reboot required log "A reboot is required to load the new kernel." touch "$FLAGFILE" log "Rebooting in 10 seconds. Press Ctrl+C to cancel." sleep 10 reboot
To use:
1. Save the script as fix-copyfail.sh.
2. Make it executable:
chmod +x fix-copyfail.sh
3. Run it with root privileges:
sudo ./fix-copyfail.sh
The script will automatically install the patched kernel and reboot if necessary.
⚠️ Note for headless/remote servers: If you cannot afford an automatic reboot, remove the reboot command at the end and manually reboot at a convenient time (sudo reboot). Unpatched systems are at serious risk of privilege escalation.
Raspberry Pi building laboratory: Using a Raspberry Pi as a testing sandbox for security updates is an excellent way to learn without risking production systems.
Whether you are using Raspberry Pi OS (which is based on Debian) or running Debian natively, the same commands apply. You can test this script safely on a dedicated Pi before deploying to production.
Check the recommended Raspberry Pi Kit on Amazon for building your laboratory.
This post contains affiliate links. We may earn a commission on qualifying purchases.
Alternative Mitigation If You Can’t Update Now
If you are unable to install the kernel update immediately, use one of these temporary workarounds. Note: These are not full fixes; they only reduce the attack surface.
Option 1: Blacklist the vulnerable module (prevents CVE-2026-31431)
The CVE-2026-31431 exploit requires the algif_aead module to be loaded. Blacklisting it stops the attack path without a full kernel update.
1. Create a blacklist file:
echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/blacklist-algif_aead.conf
2. If the module is already loaded, unload it:
sudo modprobe -r algif_aead
3. Update initramfs to persist the change:
sudo update-initramfs -u
4. Reboot to ensure the module never loads again (or verify with lsmod | grep algif_aead that it is absent).
Verification: After rebooting, run lsmod | grep algif_aead. If no output appears, the module is blacklisted.
Option 2: Restrict access to AF_ALG socket interface (advanced)
Create an AppArmor profile to restrict who can access /proc/crypto and the AF_ALG sockets. This is more granular but also more complex.
Option 3: Monitor for exploit attempts (detection only)
Use the community detection script cve_check_2026.sh to check if your system is vulnerable or has been exploited:
curl -fsSL https://raw.githubusercontent.com/sebinxavi/cve-checker-2026/main/cve_check_2026.sh | sudo bash
This script checks kernel version, module load state, and available patches. It does not modify your system.
⚠️ Important: These are temporary mitigations only. The only complete fix is updating the kernel to version 5.10.251-3 or later.
Conclusion & Call to Action
The CopyFail vulnerability (CVE-2026-31431) and the authencesn DoS issue (CVE-2026-43033) put many Debian 11 systems at risk. Fortunately, the fix is simple: update your kernel packages.
Act now to protect your system:
1. Run the detection commands to see if you are affected.
2. Apply the automated script or manually run sudo apt update && sudo apt upgrade.
3. Reboot to load the new kernel.
If you found this guide helpful, share it with your team – unpatched Linux servers are a prime target for attackers.
Nenhum comentário:
Postar um comentário