[CVE-2026-31431] IMPORTANT: upgrade your system package

Announcements Security
1

Hi,

Yesterday has been published an exploit which allows to make priviledge escalation from a non root user on every Linux installed since 2017. The exploit has been assigned number CVE-2026-31431, and nicknamed Copy Fail.

A fix is now available for Debian 12 and 13, onto which YunoHost 12 and (testing) 13 are based. We highly recommend to upgrade your system packages, for example, from the web admin ASAP. You should get an update for a linux-image-... package.

:warning: Raspberry Pi users, or probably users with hardware that requires a specific kernel build, check your provider’s usual software release channels for information about CVE-2026-31431.

After the upgrade you must reboot. If you don’t reboot, the old linux kernel could stay in use.

You should do it very quickly:

  • if you don’t trust your yunohost users (especially with apps that allow users to run their own shells or scripts, like JupyterLab)
  • apps which have regularly security problem giving access to a standard user like (e.g. some CMS like WordPress, unmaintained upstream).
  • if you have given some ssh permission to standard user or if you have set easy password on some account (and you miss to change it :confused: )

CVE-2026-31431

24 Likes
2

Hum, I don’t have any updates proposed…

3

Is it those upgrades:

dovecot-core dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved

  • dovecot-sieve
4

No, you should see an upgrade for linux-image-....
Can you check two things?

  1. the output of uname -a
  2. the contens of /etc/apt/sources.list should have a line with deb http://security.debian.org/ bookworm-security ...
2 Likes
5

Same for me, I don’t have any upgrade for now.

  • uname -v results to #1 SMP PREEMPT Debian 1:6.12.47-1+rpt1~bookworm (2025-09-16)

  • and the contents of /etc/apt/sources.list 

    deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
# Uncomment deb-src lines below then 'apt-get update' to enable 'apt-get source'
#deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
#deb-src http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
#deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
1 Like
7

Check if you have unattended-upgrades package installed

1 Like
8

Hello and thanks for the warning about copy fail.

Is the listing above in sources.list valid for all architectures? I am running on a Raspeberry Pi and it looks like this is managed by them and not directly by Debian right?

$ cat sources.list
deb http://raspbian.raspberrypi.org/raspbian/ bookworm main contrib non-free non-free-firmware rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://raspbian.raspberrypi.org/raspbian/ bookworm main contrib non-free non-free-firmware rpi

and also

$ ls sources.list.d/
extra_php_version.list  raspi.list  yarn.list  yunohost.list
$ cat sources.list.d/raspi.list 
deb http://archive.raspberrypi.org/debian/ bookworm main
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.org/debian/ bookworm main

So I am wondering if this needs to be updated on the R-Pi foundation first …

Thanks for your help !

Vincent

PS: version info

$ sudo yunohost --version
yunohost:
  repo: stable
  version: 12.1.39
yunohost-admin:
  repo: stable
  version: 12.1.14
yunohost-portal:
  repo: stable
  version: 12.1.2
moulinette:
  repo: stable
  version: 12.1.3
ssowat:
  repo: stable
  version: 12.1.1
9

Don’t see any update hint. I am on YunoHost 12.1.39 (stable). Also see no new release here: Releases · YunoHost/yunohost · GitHub

10

Hello all,

in the case of Raspberry Pi, the update hasn’t been released yet, but in the meantime, you can follow the instructions provided here:

https://forums.raspberrypi.com/viewtopic.php?t=397946

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
    rmmod algif_aead 2>/dev/null || true
4 Likes
11

First post updated with Raspberry Pi information. It looks like indeed the updated kernel is not released yet.

There was no need to change anything in YunoHost’s code. However, you should get a kernel update at some point.

12

Thanks! One question:

you should get a kernel update at some point

You mean via Yunohost Backend - correct?

13

No, from Debian repositories, or Raspbian’s if you have a Raspberry Pi. The fix for that CVE does not come from YunoHost but from the Linux kernel developers. (but now that I read again the first post, I can understand where that confusion comes from, I’ll rephrase it.)

3 Likes
14

Hi! Thanks a lot! I had unattended upgrades activated and only needed to reboot. Thanks!

2 Likes
15

Ideally run these regularly:

apt-get update && apt-get upgrade -y

Also, make sure you have the security repo added to your /etc/apt/sources.list file.

deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware

16

There’s no need to ssh and do that, it can be done through the “update” section in webadmin, or using unattended upgrades.

17

Hi,

I have those updates this morning for my Pi 5, do they patch the exploit ?:

linux-headers-rpi-2712 from 1:6.12.75-1+rpt1~bookworm to 1:6.12.87-1+rpt1~bookworm
linux-headers-rpi-v8 from 1:6.12.75-1+rpt1~bookworm to 1:6.12.87-1+rpt1~bookworm
linux-image-rpi-2712 from 1:6.12.75-1+rpt1~bookworm to 1:6.12.87-1+rpt1~bookworm
linux-image-rpi-v8 from 1:6.12.75-1+rpt1~bookworm to 1:6.12.87-1+rpt1~bookworm

libnghttp2-14 from 1.52.0-1+deb12u2 to 1.52.0-1+deb12u3
linux-libc-dev from 1:6.12.75-1+rpt1~bookworm to 1:6.12.87-1+rpt1~bookworm
raspi-firmware from 1:1.20250915-1~bookworm to 1:1.20260513-1~bookworm