Rocky Linux administrators need to apply two urgent security patches right away. The first addresses a git-lfs flaw in version nine, while the second tackles CopyFail, a severe kernel vulnerability that allows unprivileged users to escalate directly to root access. This memory-based exploit completely bypasses traditional file integrity monitoring tools and requires no special privileges to run. Simply refresh your package metadata, update all kernel packages, and restart your machines across supported releases to stay safe.

RLSA-2026:14200: Important: git-lfs security update
CopyFail (CVE-2026-31431): Patches Now Available for Rocky Linux

RLSA-2026:14200: Important: git-lfs security update

An update is available for git-lfs.
This update affects Rocky Linux 9.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

RLSA-2026:14200: Important: git-lfs security update

CopyFail (CVE-2026-31431): Patches Now Available for Rocky Linux

TL;DR: A high-severity local privilege escalation vulnerability in the Linux kernel has been publicly disclosed with a working exploit. Patches are available now for Rocky Linux 8.10, 9.7, and 10.1. Update your kernel and reboot.
What happened
On April 29, security researchers from Theori disclosed a Linux kernel vulnerability they named CopyFail, tracked as CVE-2026-31431. The flaw has been present in essentially every mainstream Linux kernel built since 2017.
The bug sits in the kernel’s algif_aead module – the AEAD socket interface of the userspace crypto API (AF_ALG). A logic flaw in authencesn, chained through AF_ALG and the splice() system call, allows an unprivileged local user to perform a controlled 4-byte write into the page cache. By corrupting the in-memory copy of a setuid binary like /usr/bin/su – without touching anything on disk – an attacker can escalate to root in seconds.
What makes this one stand out: the 732-byte Python proof-of-concept requires no race conditions, no per-distribution tuning, and no special privileges. The same script works unmodified across distributions. File integrity tools won’t catch it because nothing on disk changes. This makes it especially dangerous on multi-tenant hosts, Kubernetes nodes, and CI/CD runners where a shared page cache means one compromised workload can threaten the whole node.
The researchers have published the exploit publicly. Treat this as actively exploitable.
How to fix it
Patches are available now for all supported Rocky Linux releases. Run the following and reboot:
bash
sudo dnf --refresh update ‘kernel*’
sudo reboot
That’s it. The --refresh flag ensures you pull the latest metadata without re-downloading packages you already have.
Patched kernel versions:

Rocky Linux 8.10: kernel-4.18.0-553.123.1.el8_10 and above
Rocky Linux 9.7: kernel-5.14.0-611.54.1.el9_7 and above
Rocky Linux 10.1: kernel-6.12.0-124.55.1.el10_1 and above

Confirm your running kernel after reboot with uname -r.
A note on the algif_aead module
You may have seen advice elsewhere to disable algif_aead via rmmod or a modprobe.d entry as an interim workaround. On Rocky Linux, that approach does not apply – algif_aead is compiled directly into the kernel image (CONFIG_CRYPTO_USER_API_AEAD=y), not shipped as a loadable module. The correct fix is the kernel update above.
Thank you
Thanks to Brian Pak and the team at Xint Code (Theori) for finding this, handling coordinated disclosure responsibly, and publishing a thorough technical write-up. If you want to understand exactly how a single logic bug becomes a fully reliable privilege escalation, their write-up is worth your time.

CopyFail (CVE-2026-31431): Patches Now Available for Rocky Linux