Hello everyone,
The critical Linux kernel vulnerabilities CVE-2026-31431 (“Copy Fail”) and “Dirty Frag” were disclosed on April 29, 2026, and May 7, 2026, respectively.
We have already applied mitigations for Copy Fail to servers provisioned using Cleavr.
If you would like to apply the mitigation manually on other servers, you can run the following commands:
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
We have tested this mitigation across various services and have not observed any breaking changes.
Additionally, please ensure that Unattended Upgrades are enabled by navigating to:
Danger Zone > Upgrade Settings , and setting the upgrade type to Security .
Dirty Frag Mitigation
For Dirty Frag , we initially planned to automate the mitigation across all Cleavr-provisioned servers. However, this vulnerability involves kernel modules used by IPsec VPN tunnels and AFS, so automatic mitigation could impact certain setups.
Please follow the steps below to safely apply the mitigation manually:
Check if the related modules are in use:
grep -E 'esp4|esp6|rxrpc' /proc/modules
lsof 2>/dev/null | grep -E 'esp4|esp6|rxrpc'
ip xfrm policy list
ip xfrm state list
ss -a | grep rxrpc
If all of the above commands return no output, you can safely run:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Then reboot the server.
Please let us know if you encounter any issues or have any questions.