[Security Advisory] CVE-2026-31431: Copy-fail vulnerability requires immediate mitigation on Nebius instances

A critical Linux vulnerability — CVE-2026-31431, publicly known as “Copy-Fail”, has been disclosed that allows a local unprivileged user to escalate to root on affected systems.

The vulnerability exploits the algif_aead kernel module and requires no special privileges to trigger, making it broadly applicable across Linux environments including cloud virtual machines and containerized workloads.

Nebius services, including compute instances, Managed Kubernetes, and Soperator clusters, may be affected depending on your configuration. We have already applied mitigations to our latest managed images, but customers running existing instances or self-managed configurations must take action.

Please follow the steps below for your environment.

Compute instancesCompute instances

Mitigation is already applied to the latest versions of Nebius Compute virtual machine images.

Please recreate your instances using the latest VM image to ensure protection.

For existing images and disks that cannot be recreated, the vulnerable module can be disabled directly by executing the following commands:

echo "install algif_aead /bin/false" > /host/etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true

Managed KubernetesManaged Kubernetes

For Nebius Managed Kubernetes clusters, recreate the nodes with the latest VM image. If you’re unable to recreate the nodes implement the recommended solution provided below.

1. Create copy-fail-mitigation.yaml with following content:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: copy-fail-mitigation
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: copy-fail-mitigation
  template:
    metadata:
      labels:
        app: copy-fail-mitigation
    spec:
      hostPID: true
      tolerations:
        - operator: Exists
      initContainers:
        - name: mitigate
          image: cr.eu-north1.nebius.cloud/soperator/busybox:latest
          securityContext:
            privileged: true
          command:
            - /bin/sh
            - -ec
            - |
              echo "install algif_aead /bin/false" > /host/etc/modprobe.d/disable-algif.conf
              rmmod algif_aead 2>/dev/null || true
              echo "Mitigation applied"
          volumeMounts:
            - name: host-etc-modprobe
              mountPath: /host/etc/modprobe.d
      containers:
        - name: pause
          image: registry.k8s.io/pause:3.9
      volumes:
        - name: host-etc-modprobe
          hostPath:
            path: /etc/modprobe.d
            type: DirectoryOrCreate

2. Apply the DaemonSet:

kubectl apply -f copy-fail-mitigation.yaml

3. Verify the fix was applied:

kubectl -n kube-system rollout status ds/copy-fail-mitigation
kubectl -n kube-system logs ds/copy-fail-mitigation -c mitigate

Soperator clustersSoperator clusters

Mitigation is already applied for Managed Soperator and Soperator Pro.

For self-service Soperator clusters, please follow the same instructions as for Managed Kubernetes (see above).

Container over VMsContainer over VMs

To ensure security of your Containers, please re-create them.

Serverless Endpoints and JobsServerless Endpoints and Jobs

To ensure security of your Endpoints and Jobs, please restart them.