Two global vulnerabilities of April 2026: "Copy Fail" in the Linux kernel and authentication bypass in cPanel/WHM
At the end of April 2026, two critical vulnerabilities surfaced simultaneously, affecting millions of servers around the world. One is in the Linux kernel itself, the other in the popular cPanel hosting control panel. Both allow you to get root access, with the first working locally and the second remotely. We analyze what happened, who is at risk and how to protect yourself right now.
1. CVE-2026-31431 - "Copy Fail": 732 bytes to root on Linux
What is it?
Logical error in Linux kernel cryptography subsystem (crypto/algif _ aead + authencesn pattern). The vulnerability appeared in 2017 due to in-place optimization of data processing. It allows an unprivileged local user to write 4 monitored bytes to the page cache of any readable file on disk.
Why is it dangerous?
- A works on all major distributions (Ubuntu, Debian, RHEL, Amazon Linux, SUSE, Arch, etc.) with kernels since 2017.
- Does not require race condition, specific offsets or recompilation - the same PoC works everywhere.
- Exploit - only 732 bytes of pure Python (standard library, no dependencies).
- Allows you to overwrite the setuid-root binary in memory (for example/usr/bin/su, sudo, passwd) and get a root shell.
- Works even from a Docker container - page cache is common to the host.
Who is under threat?
Multi-user servers, Kubernetes, GitHub Actions/GitLab CI, any shared hosting and jump hosts. On personal laptops, the risk is lower, but still present.
How to fix it?
Option A - best (patch):
Upgrade the kernel to a version containing commit a664bf3d603d (reverse of 2017 dangerous optimization).
Most distributions have already rolled out updates.
Option B - temporary protection (works instantly):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || trueCheck:
lsmod | grep algifIf empty, protection is active. This does not break dm-crypt, LUKS, SSH, IPsec and regular crypto libraries.
For containers, additionally block the creation of AF _ ALG sockets through seccomp.
Status on Debian Bookworm (as of April 30, 2026):
Kernels 6.1.164-1 and below are vulnerable. The patch is not yet in stable, follow here:
https://security-tracker.debian.org/tracker/CVE-2026-31431
2. CVE-2026-41940 - Critical Authentication Bypass in cPanel & WHM (CVSS 9.8)
What is it?
Vulnerability in session loading and saving mechanism (whostmgrsession cookie). Allows any remote attacker to log into WHM/cPanel under any user (including root) without a password.
Why is it dangerous?
- Affects all supported cPanel/WHM versions after 11.40.
Already actively exploited in wild. - Gives full control over the server: creating accounts, reading/changing all sites, executing commands as root.
- It works even if the panel is closed by a firewall on standard ports (2082-2087) - there is a bypass through virtual hosts.
Who is under threat?
Any server with cPanel/WHM installed (millions of shared hosting sites around the world).
How to fix it? (do right now)
- If it is impossible to update instantly - hard lock: Close the cPanel/WHM ports in the firewall and configure RewriteRule/ProxyPass so that requests for/whm and/cpanel do not pass.
- Check if they have already been hacked: Run the official detection script from the cPanel article (or check the logs for suspicious sessions).
Check the current version:
/usr/local/cpanel/cpanel -VUpdate (the only reliable way):
/scripts/upcp --forceAfter the upgrade, restart:
/scripts/restartsrv_cpsrvdWhat server owners should do now?
- If you have a Linux server → apply workaround algif _ aead (even if you have updated the kernel).
- If you have cPanel → immediately/scripts/upcp --force.
- Check logs for signs of operation in recent days.
- In the long term:
- Minimize the number of users with shell access.
- Use seccomp/AppArmor/SELinux in containers.
- Keep your core and dashboards up to date.
These two vulnerabilities together are the classic "kill chain": remote bypass in the panel + local root in the kernel. If you have a public server with cPanel and Docker/mailcow/nextcloud - update today.