Security Linux Kernel Security Vulnerability Update CVE-2026-31431 Copy Fail & Dirty Frag

Linux Kernel security vulnerabilities Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 & CVE-2026-43500), Fragnesia (CVE-2026-46300) and ssh-keysign-pwn (CVE-2026-46333) all AlmaLinux/Rocky Linux and Linux server distributions released since 2017 to update their Linux Kernels and reboot their servers.

These three Linux kernel bugs let any attacker who has already gained low-level access to your server - for example through a vulnerable WordPress plugin running as the nginx user - escalate themselves to full root control, turning what would have been a contained breach into a complete server takeover.

CentOS 7 and older are not affected if using their native 3.10.x Linux Kernels, but maybe affected if using newer non-distro default Linux kernels.

Copy Fail

• Copy Fail — 732 Bytes to Root
• Copy Fail (CVE-2026-31431) Patches Released
• NVD - CVE-2026-31431
• cve-details
  
• CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments | Microsoft Security Blog
  
• How Cloudflare responded to the “Copy Fail” Linux vulnerability

Dirty Frag

• https://dirtyfrag.io/
• Dirty Frag (CVE-2026-43284, CVE-2026-43500) Patches Released
• NVD - CVE-2026-43284

Fragnesia (CVE-2026-46300)

• Fragnesia (CVE-2026-46300): Patched kernels available in testing

ssh-keysign-pwn (CVE-2026-46333)

• ssh-keysign-pwn (CVE-2026-46333): Patched kernels available in testing

Fixed Linux Kernels For Copy Fail & Dirty Frag

Check your Linux kernel version using command

Code (Text):

uname -r

For Copy Fail Vendor fixed-kernel baselines (2026-05-08):

• AlmaLinux 8: kernel-4.18.0-553.121.1.el8_10
• AlmaLinux 9: kernel-5.14.0-611.49.2.el9_7
• AlmaLinux 10: kernel-6.12.0-124.52.2.el10_1
• AlmaLinux Kitten 10: kernel-6.12.0-225.el10
• Rocky Linux 8.10: kernel-4.18.0-553.123.1.el8_10
• Rocky Linux 9.7: kernel-5.14.0-611.54.1.el9_7
• Rocky Linux 10.1: kernel-6.12.0-124.52.1.el10_1
• Linode-provided: 7.0.3 or newer https://techdocs.akamai.com/cloud-computing/docs/manage-the-kernel-on-a-compute-instance

Update: If you are on even newer Linux Kernels than ones listed above, you also have fix for Linux Kernel DirtyFrag vulnerability Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability fix is ready for testing

• AlmaLinux 8 is patched in kernel-4.18.0-553.123.2.el8_10 and above
• AlmaLinux 9 is patched in kernel-5.14.0-611.54.3.el9_7 and above
• AlmaLinux 10 is patched in kernel-6.12.0-124.55.2.el10_1 and above

Centmin Mod Users

Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01 branches have added a new cmsec security check framework to handle such CVEs for this Copy Fail vulnerability as well as for future CVEs. The framework adds a detection routine (when
DMOTD_CVECHECK='y' enabled - default enabled for now) to tell users if they are vulnerable and whether they need to update their Linux Kernels via yum update and reboot the server. If in doubt, yum update + reboot will help.

What is cmsec framework?
The cmsec framework, is a Centmin Mod specific Linux Kernel vulnerability detection and notification system to alert Centmin Mod users of security issues that require Linux Kernel update + server reboot. Unlike normal YUM/DNF updates, these usually require end users to reboot their servers for Linux Kernel updates to take effect. If vulnerable, on SSH login you will be notifications (see below example) and will give you a cmsec check command to run that gives you more info on the Linux Kernel vulnerability and mitigations and actions you need to do or be aware of.

You'll see on initial SSH login new cmsec framework notifications like:

Code (Text):

 * cmsec: running 5 kernel CVE check(s), please wait...
 * CVE-2026-31431 (almalinux kernel): PATCHED
 * CVE-2026-43284 (almalinux kernel): PATCHED
 * CVE-2026-43500 (almalinux kernel): NOT AFFECTED
 * CVE-2026-46300 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46300" for details
 * CVE-2026-46333 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46333" for details

Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01 branches have added detection for AlmaLinux 8, 9, 10 and alike systems including for folks hosting on Linode with their Linode custom Linux Kernels. Linode patch fixed their latest 7.0.5+ Linux Kernel for the fix if you are using Linode.

Update Centmin Mod via command first and then run and exit centmin.sh menu once to setup cmsec command.

Code (Text):

cmupdate

Code (Text):

centmin

Details

A new security check framework, cmsec, has landed in all three Centmin Mod branches (141.00beta01, 140.00beta01, 132.00stable). When you enable it, every SSH login shows a single coloured line in the message-of-the-day banner telling you whether your running kernel is patched against known privilege-escalation CVEs.

CVE-2026-31431 ("Copy Fail") - a Linux kernel local privilege escalation in the algif_aead crypto interface (CVSS 7.8). It affects AlmaLinux 8/9/10, Rocky 8/9/10, CloudLinux 7h/8/9/10, Oracle Linux 8/9/10, and Linode boot kernels. Stock CentOS 7 (3.10 kernel) is not affected by this specific CVE.

Why this matters for LEMP servers
A kernel LPE bug like this isn't a remote-code-execution; an attacker has to be on the box already. But on a LEMP server, "already on the box" frequently means:

• A vulnerable WordPress plugin gets exploited and runs PHP as the nginx or php-fpm user
• A compromised supply-chain dep (npm/pip/composer) drops a payload running as the web user

Without a kernel LPE, the attacker is stuck at "I can write files in /home/nginx/domains" - bad, but recoverable. With a kernel LPE, the attacker pivots from nginx user → root in a single step. Backdoored kernel modules, persistent rootkits, log tampering - game over.

So the question "is my kernel patched?" is the difference between contained breach and full server takeover. cmsec puts that answer on your screen at every SSH login.

---

Quick start
cmsec is default-off - it ships dormant so you choose when to opt in. I may eventually enable this by default as not every Centmin Mod user visits this forum for news.

Two ways to enable:

Option A - via centmin.sh menu (141.00beta01 and 140.00beta01)

Code (Text):

centmin

Pick option 7 (Persistent Config File Management) → option 24 to enable.
Menu 7 itself is also default-off; if you've never used it, enable it once with echo "PERSISTENT_CONFIG_MENU='y'" >> /etc/centminmod/custom_config.inc first.

Option B - manual flag (works on all branches including 132.00stable)

Code (Text):

echo "DMOTD_CVECHECK='y'" >> /etc/centminmod/custom_config.inc

Open a fresh SSH session and you'll see a new line in the login banner like:

Code (Text):

CVE-2026-31431 (algif_aead LPE): PATCHED on AlmaLinux 9

or in the bad case:

Code (Text):

CVE-2026-31431 (algif_aead LPE): VULNERABLE - run 'cmsec check cve-2026-31431' for details

or

Code (Text):

CVE-2026-31431 (almalinux kernel): VULNERABLE - run "cmsec check cve-2026-31431" for details

To disable later, the menu option 25 turns it off, or set DMOTD_CVECHECK='n'.

After reboot, next SSH login will show.

Code (Text):

CVE-2026-31431 (almalinux kernel): PATCHED

or when fully fixed and patched example on AlmaLinux 10

Code (Text):

 * cmsec: running 5 kernel CVE check(s), please wait...
 * CVE-2026-31431 (almalinux kernel): PATCHED
 * CVE-2026-43284 (almalinux kernel): PATCHED
 * CVE-2026-43500 (almalinux kernel): NOT AFFECTED
 * CVE-2026-46300 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46300" for details
 * CVE-2026-46333 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46333" for details

Using the cmsec command
Beyond the SSH login banner, you can run cmsec directly any time:

Code (Text):

cmsec                              # run all enabled CVE checks, full output
cmsec list                         # list available checks
cmsec check cve-2026-31431         # run a specific check, full detail
cmsec --json                       # machine-readable output for monitoring tools
cmsec --no-cache                   # bypass the 24h cache, re-run live

Code (Text):

cmsec list

Available cmsec checks:
 * cve-2026-31431
 * cve-2026-43284
 * cve-2026-43500

Available cmsec probes:
 * cve-2026-31431 (requires --yes)

Code (Text):

cmsec --json
{
  "cve": "CVE-2026-31431",
  "tool_version": "0.5-cmsec",
  "scanned_at": "2026-05-08T14:32:40Z",
  "final_status": "patched",
  "confidence": "high",
  "exit_code": 0,
  "os_id": "almalinux",
  "os_version": "10.1",
  "os_pretty": "AlmaLinux 10.1 (Heliotrope Lion)",
  "running_kernel": "6.12.0-124.55.1.el10_1",
  "running_kernel_full": "6.12.0-124.55.1.el10_1.x86_64",
  "kernel_rpm": "kernel-core-6.12.0-124.55.1.el10_1.x86_64",
  "vendor_baseline": "6.12.0-124.52.2.el10_1",
  "vendor_baseline_detected_for": "AlmaLinux 10",
  "comparison_result": "patched",
  "mitigation_active": false,
  "mitigation_in_grub": false,
  "algif_aead_state": "builtin",
  "linode_kernel": "",
  "linode_parsed_version": "",
  "livepatch_tool": "",
  "livepatch_cve_covered": "unknown",
  "container_detected": false,
  "chroot_detected": false,
  "uek_detected": false,
  "baseline_verified_date": "2026-05-08",
  "ioc_hits": "",
  "reasons": [],
  "recommended_actions": []
}
{
  "cve": "CVE-2026-43284",
  "cve_label": "xfrm-ESP LPE",
  "tool_version": "0.1-cmsec",
  "scanned_at": "2026-05-08T14:32:50Z",
  "final_status": "vulnerable",
  "confidence": "high",
  "exit_code": 1,
  "os_id": "almalinux",
  "os_version": "10.1",
  "os_pretty": "AlmaLinux 10.1 (Heliotrope Lion)",
  "running_kernel": "6.12.0-124.55.1.el10_1",
  "running_kernel_full": "6.12.0-124.55.1.el10_1.x86_64",
  "kernel_rpm": "kernel-core-6.12.0-124.55.1.el10_1.x86_64",
  "vendor_baseline": "6.12.0-124.55.3.el10_1",
  "vendor_baseline_detected_for": "AlmaLinux 10",
  "comparison_result": "vulnerable",
  "pending_vendor_nvr": false,
  "mitigation_active": false,
  "modprobe_blacklist_path": "",
  "esp4_state": "module-available",
  "esp6_state": "module-available",
  "rxrpc_state": "absent-or-unknown",
  "ipsec_host_detected": false,
  "ipsec_detection_reasons": "",
  "linode_kernel": "",
  "livepatch_tool": "",
  "livepatch_cve_covered": "unknown",
  "container_detected": false,
  "chroot_detected": false,
  "uek_detected": false,
  "baseline_verified_date": "2026-05-08",
  "reasons": [],
  "recommended_actions": ["Run: dnf clean metadata && dnf --refresh upgrade && reboot"]
}
{
  "cve": "CVE-2026-43500",
  "cve_label": "RxRPC LPE",
  "tool_version": "0.1-cmsec",
  "scanned_at": "2026-05-08T14:32:51Z",
  "final_status": "not_affected",
  "confidence": "high",
  "exit_code": 0,
  "os_id": "almalinux",
  "os_version": "10.1",
  "os_pretty": "AlmaLinux 10.1 (Heliotrope Lion)",
  "running_kernel": "6.12.0-124.55.1.el10_1",
  "running_kernel_full": "6.12.0-124.55.1.el10_1.x86_64",
  "kernel_rpm": "",
  "vendor_baseline": "",
  "vendor_baseline_detected_for": "",
  "comparison_result": "not_affected",
  "pending_vendor_nvr": false,
  "rxrpc_state": "absent",
  "rxrpc_package_path": "",
  "rxrpc_package_path_verified": false,
  "livepatch_tool": "",
  "livepatch_cve_covered": "unknown",
  "container_detected": false,
  "chroot_detected": false,
  "uek_detected": false,
  "baseline_verified_date": "2026-05-08",
  "reasons": ["rxrpc.ko not found on system; CVE requires kernel-modules-partner."],
  "recommended_actions": []
}

The first run of cmsec check on a system gives you the long-form report: kernel version detected, vendor baseline it was compared against, livepatch coverage status (KernelCare/kpatch), mitigation flags, and a recommended action if something's wrong.
After that, results are cached for 24 hours and the SSH login banner uses the cached value. The cache automatically invalidates when:

• The running kernel changes (you rebooted into a new kernel)
• A KernelCare livepatch is applied
• The kernel command line changes (e.g. you set a mitigation flag)
• The check script itself is updated via cmupdate

So you can't accidentally see a stale "patched" verdict after running an update - the next login always reflects the current state.

What you'll see
cmsec emits one of three verdicts per CVE:

1. Green PATCHED / NOT_AFFECTED Nothing - your running kernel is not vulnerable
2. Red VULNERABLE Update the kernel and reboot. Run cmsec check cve-2026-31431 for the exact action
3. Yellow INDETERMINATE Verdict can't be derived (custom kernel, missing tooling, container with no host visibility) - investigate manually

If you're on a Linode boot kernel and the verdict is vulnerable, cmsec specifically tells you to update via the Linode Cloud Manager (Configuration Profile → Kernel) - dnf upgrade alone won't help because Linode loads its own kernel independently of the distro-managed one.

If you're inside a container or chroot, cmsec skips with a "skipped - host-kernel verdict not derivable" note. The host kernel isn't the container's responsibility, so this is expected.

What's not in cmsec
cmsec is detection only. It will never:

• Auto-apply a kernel update
• Auto-reboot
• Run an exploit to "prove" vulnerability (the AF_ALG bind probe is a separate file, requires --yes and prints a SOC/EDR warning before running)
• Phone home or upload anything

The recommended action for every vulnerable verdict is shown in the long-form output - you decide when and how to update.

Adding more CVEs in future
The framework is built to be extended. When a new kernel CVE lands, a single new check script gets dropped into tools/cmm-security/checks/ and the next cmupdate distributes it. Existing servers pick up new checks without re-running the installer. cmsec auto-discovers checks by filename - no glue code, no version-bump dependencies.

Existing baseline data inside the current check script has a BASELINE_VERIFIED_DATE and warns yellow if the baseline is older than 90 days - a reminder to run cmupdate periodically.

TL;DR

Code (Text):

echo "DMOTD_CVECHECK='y'" >> /etc/centminmod/custom_config.inc

or manually add to persistent config file /etc/centminmod/custom_config.inc

Code (Text):

DMOTD_CVECHECK='y'

Log in over SSH via new session. If the banner is green, you're good.

If it's red, run:

Code (Text):

cmsec check cve-2026-31431

Code (Text):

cmsec check cve-2026-43284

Code (Text):

cmsec check cve-2026-43500

…and follow the recommended action. That's it.

 

Example output for cmsec check for Copy Fail vulnerability check on AlmaLinux 10.x run of vulnerable system.

Code (Text):

cmsec check cve-2026-31431

== CVE ==
CVE-2026-31431 / Copy Fail kernel local privilege escalation checker
Tool version: 0.5-cmsec  Mode: read-only

== Tool availability ==
rpm: found
dnf: found
grubby: found
modinfo: found
python3: found
systemd-detect-virt: found
kcarectl: not found

== OS ==
NAME: AlmaLinux
PRETTY_NAME: AlmaLinux 10.1 (Heliotrope Lion)
ID: almalinux
VERSION_ID: 10.1

== Container / chroot detection ==
No container marker detected.

== Running kernel ==
6.12.0-124.43.1.el10_1.x86_64

This is the kernel your system is currently running.
This is what determines whether your system is vulnerable or patched right now.
Even if a newer, fixed kernel package is installed, it does not take effect until you reboot.

== Installed kernels ==
kernel-6.12.0-124.38.1.el10_1.x86_64
kernel-6.12.0-124.40.1.el10_1.x86_64
kernel-6.12.0-124.43.1.el10_1.x86_64
kernel-core-6.12.0-124.38.1.el10_1.x86_64
kernel-core-6.12.0-124.40.1.el10_1.x86_64
kernel-core-6.12.0-124.43.1.el10_1.x86_64

Code (Text):

== Default boot kernel ==
/boot/vmlinuz-6.12.0-124.43.1.el10_1.x86_64

This is the kernel your system will use after the next reboot.
If this differs from the running kernel above, a reboot is needed to switch to it.

== Running kernel RPM mapping ==
kernel-core-6.12.0-124.43.1.el10_1.x86_64 (matched via kernel-core package name)

== CVE updateinfo ==
ALSA-2026:A003  Important/Sec. kernel-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-core-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-core-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-devel-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-devel-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-headers-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-headers-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-modules-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-modules-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-modules-core-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-modules-core-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-modules-extra-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-modules-extra-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-modules-extra-matched-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-modules-extra-matched-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-tools-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-tools-6.12.0-124.55.1.el10_1.x86_64
ALSA-2026:A003  Important/Sec. kernel-tools-libs-6.12.0-124.52.2.el10_1.x86_64
ALSA-2026:13566 Important/Sec. kernel-tools-libs-6.12.0-124.55.1.el10_1.x86_64

The above lists available security updates that fix this CVE.
If any are shown, your system has a fix available - install updates and reboot to apply.

== Available kernel updates ==
Kernel updates are available and ready to install.

== Kernel changelog hints ==
No matching changelog entries found in installed kernel-core package

Note: not all vendors include CVE references in their changelogs.
No match here does not mean the system is vulnerable - other checks above are more reliable.

== algif_aead state ==
Detected state: builtin
algif_aead is built into the kernel (not a loadable module).
This means it cannot be disabled via modprobe.d blacklisting.
The only workaround is the initcall_blacklist boot parameter or a kernel update (see below).

== Temporary mitigation status ==
The temporary workaround (initcall_blacklist=algif_aead_init) is NOT active.
If you cannot update the kernel immediately, see 'Suggested next actions' below to enable it.

== Boot entries with temporary mitigation ==
No boot entries have the temporary workaround configured.
This means the workaround will not be active after a reboot.

== Livepatch tooling status ==
KernelCare kcarectl not found
kpatch packages not detected

If you use a livepatch service, check with your vendor that it covers CVE-2026-31431.
The kernel version string alone does not confirm whether a livepatch has been applied.

== AF_ALG AEAD bind probe ==
Active probing has been moved to a separate file in the Centmin Mod cmsec edition.
To test AF_ALG AEAD bind reachability (creates a real PoC-algorithm socket and may
trigger SOC/EDR/auditd alarms): cmsec probe cve-2026-31431 --yes

Code (Text):

== Vendor running-kernel assessment ==
Detected OS:     AlmaLinux 10.1 (Heliotrope Lion)
Vendor branch:   AlmaLinux 10
Running kernel:  6.12.0-124.43.1.el10_1
Fixed baseline:  6.12.0-124.52.2.el10_1

RESULT: Your running kernel is OLDER than the fixed version for AlmaLinux 10.
Your system appears VULNERABLE to CVE-2026-31431. Update and reboot as soon as possible.

== Linode/Akamai Cloud kernel assessment ==
No Linode-provided kernel marker detected in uname -r.

== Provider/custom kernel warning ==
No obvious provider/custom kernel marker detected in uname -r.

Code (Text):

== Suggested next actions ==
1. UPDATE AND REBOOT (recommended fix):
   Install all available updates and restart the system:
    dnf clean metadata
    dnf --refresh upgrade
    reboot
   If you use CloudLinux/KernelCare/livepatch, also confirm with your vendor that
   their livepatch covers CVE-2026-31431.

2. VERIFY AFTER REBOOT:
   After restarting, confirm the new kernel is running:
    uname -r
   Then re-run this script to verify the system now shows as patched.

3. TEMPORARY WORKAROUND (if you cannot reboot immediately):
   Block the vulnerable kernel code path without updating the kernel:
    grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
    reboot
   Note: this still requires a reboot, but does not require a kernel update.

4. CLEAN UP WORKAROUND (after applying the kernel update):
   Once you have updated to a patched kernel, remove the workaround:
    grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
    reboot

5. LINODE/AKAMAI CLOUD USERS:
   If your kernel name contains 'linode', running 'dnf upgrade' inside the OS will
   NOT change the running kernel. Linode manages the kernel separately.
   Linode kernel 7.0.3 or newer includes the CVE-2026-31431 fix.
   To update: open Cloud Manager > select your Linode > Configuration > change the
   kernel to the latest version (or switch to GRUB 2 to manage it via dnf), then reboot.

Code (Text):

== Final status ==
STATUS: vulnerable  CONFIDENCE: high  EXIT: 1

Your system appears to be VULNERABLE to CVE-2026-31431.
Update the kernel and reboot as soon as possible (see suggested actions above).

Recommended actions:
  - Run: dnf clean metadata && dnf --refresh upgrade && reboot

 

For Linux Kernel vulnerability Dirty Frag cve-2026-43284 which is now detected via cmsec framework as well

Code (Text):

cmsec list

Available cmsec checks:
 * cve-2026-31431
 * cve-2026-43284
 * cve-2026-43500

Available cmsec probes:
 * cve-2026-31431 (requires --yes)

Code (Text):

cmsec check cve-2026-43284
 * cmsec: running cve-2026-43284 check, please wait...

== CVE ==
CVE-2026-43284 / Dirty Frag (xfrm-ESP) kernel local privilege escalation checker
Tool version: 0.1-cmsec  Mode: read-only

== Tool availability ==
rpm: found
dnf: found
grubby: found
modinfo: found
python3: found
systemd-detect-virt: found
kcarectl: not found
nmcli: found

== OS ==
NAME: AlmaLinux
PRETTY_NAME: AlmaLinux 10.1 (Heliotrope Lion)
ID: almalinux
VERSION_ID: 10.1
Kernel track: almalinux

== Container / chroot detection ==
No container marker detected.

== Running kernel ==
6.12.0-124.55.1.el10_1.x86_64

This is the kernel your system is currently running.
This is what determines whether your system is vulnerable or patched right now.
Even if a newer, fixed kernel package is installed, it does not take effect until you reboot.

== Installed kernels ==
kernel-6.12.0-124.40.1.el10_1.x86_64
kernel-6.12.0-124.43.1.el10_1.x86_64
kernel-6.12.0-124.55.1.el10_1.x86_64
kernel-core-6.12.0-124.40.1.el10_1.x86_64
kernel-core-6.12.0-124.43.1.el10_1.x86_64
kernel-core-6.12.0-124.55.1.el10_1.x86_64

== Default boot kernel ==
/boot/vmlinuz-6.12.0-124.55.1.el10_1.x86_64

== Running kernel RPM mapping ==
kernel-core-6.12.0-124.55.1.el10_1.x86_64 (matched via kernel-core package name)

== CVE updateinfo ==
ALSA-2026:A006 Important/Sec. kernel-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-core-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-devel-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-headers-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-modules-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-modules-core-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-modules-extra-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-modules-extra-matched-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-tools-6.12.0-124.55.3.el10_1.x86_64
ALSA-2026:A006 Important/Sec. kernel-tools-libs-6.12.0-124.55.3.el10_1.x86_64

The above lists available security updates that fix this CVE.
If any are shown, your system has a fix available - install updates and reboot to apply.

== Available kernel updates ==
Kernel updates are available and ready to install.

== ESP / RxRPC module state ==
esp4:  module-available
esp6:  module-available
rxrpc: absent-or-unknown

esp4/esp6 are the IPsec ESP transforms targeted by this CVE.
rxrpc is reported here for context; the rxrpc-half verdict lives in
check-cve-2026-43500 (see 'cmsec check cve-2026-43500').

== Modprobe blacklist mitigation status ==
Mitigation NOT active: no /etc/modprobe.d, /usr/lib/modprobe.d, or /run/modprobe.d file blacklists esp4/esp6/rxrpc.

== IPsec gateway detection ==
No IPsec usage detected (xfrm policies/states empty, no strongswan/libreswan service active, no /etc/ipsec.* files, no NetworkManager VPN profiles).

== Livepatch tooling status ==
KernelCare kcarectl not found
kpatch packages not detected

== Vendor running-kernel assessment ==
Detected OS:     AlmaLinux 10.1 (Heliotrope Lion)
Vendor branch:   AlmaLinux 10
Running kernel:  6.12.0-124.55.1.el10_1
Fixed baseline:  6.12.0-124.55.3.el10_1

RESULT: Your running kernel is OLDER than the fixed version for AlmaLinux 10.
Your system appears VULNERABLE to CVE-2026-43284. Update and reboot as soon as possible.

== Linode/Akamai Cloud kernel assessment ==
No Linode-provided kernel marker detected in uname -r.

== Provider/custom kernel warning ==
No obvious provider/custom kernel marker detected in uname -r.

== Suggested next actions ==
1. UPDATE AND REBOOT (recommended fix):
   Install all available updates and restart the system:
     dnf clean metadata
     dnf --refresh upgrade
     reboot
   If you use CloudLinux/KernelCare/livepatch, also confirm with your vendor that
   their livepatch covers CVE-2026-43284.

2. VERIFY AFTER REBOOT:
   After restarting, confirm the new kernel is running:
     uname -r
   Then re-run this script to verify the system now shows as patched.

3. TEMPORARY WORKAROUND (only if you are NOT using IPsec):
   Block the vulnerable receive paths without updating the kernel:
     printf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n' \\
       > /etc/modprobe.d/dirtyfrag.conf
     rmmod esp4 esp6 rxrpc 2>/dev/null || true
     echo 3 > /proc/sys/vm/drop_caches
   Note: this BREAKS IPsec on hosts that terminate or transit IPsec tunnels.
   Reverse with: rm /etc/modprobe.d/dirtyfrag.conf && modprobe esp4 && modprobe esp6

4. CLEAN UP WORKAROUND (after applying the kernel update):
   Once you have updated to a patched kernel, remove the workaround:
     rm /etc/modprobe.d/dirtyfrag.conf
     modprobe esp4 esp6
     # rxrpc lifecycle is owned by check-cve-2026-43500

5. LINODE/AKAMAI CLOUD USERS:
   If your kernel name contains 'linode', 'dnf upgrade' inside the OS will NOT change the running
   kernel. Linode manages the kernel separately. Watch the Linode Cloud Manager for the Dirty Frag
   fix, or switch to GRUB 2 to manage the kernel via dnf.

6. ALMALINUX TESTING REPO (if 'dnf upgrade' reports 'Nothing to do'):
   AlmaLinux promotes kernel security fixes to almalinux-testing before
   the production BaseOS/AppStream repos. If cmsec reports VULNERABLE but
   'dnf --refresh upgrade' shows nothing to install, the fix is likely
   still in testing. To install from testing:
     dnf install -y almalinux-release-testing
     dnf --enablerepo=almalinux-testing --refresh upgrade 'kernel*'
     reboot
   After reboot, optionally disable the testing repo to prevent other
   testing-only packages from upgrading on subsequent dnf runs:
     dnf config-manager --set-disabled almalinux-testing
   See https://almalinux.org/blog/ for promotion-status updates.

Code (Text):

== Final status ==
STATUS: vulnerable  CONFIDENCE: high  EXIT: 1

Your system appears to be VULNERABLE to CVE-2026-43284.
Update the kernel and reboot as soon as possible (see suggested actions above).

Recommended actions:
  - Run: dnf clean metadata && dnf --refresh upgrade && reboot

 

Copy Fail explained



Dirty Frag explained

 

With so many Linux Kernel security vulnerabilities lately, I have enabled Centmin Mod's cmsec framework by default DMOTD_CVECHECK='y' so you no longer have to enable it yourself in 132.00stable, 140.00beta01, 141.00beta01. Just run cmupdate to update to latest code for those branches you are on to have cmsec framework enabled by default.

What is cmsec framework?

The cmsec framework, is a Centmin Mod specific Linux Kernel vulnerability detection and notification system to alert Centmin Mod users of security issues that require Linux Kernel update + server reboot. Unlike normal YUM/DNF updates, these usually require end users to reboot their servers for Linux Kernel updates to take effect. If vulnerable, on SSH login you will be notifications (see below example) and will give you a cmsec check command to run that gives you more info on the Linux Kernel vulnerability and mitigations and actions you need to do or be aware of.

You'll see on initial SSH login new cmsec framework notifications like:

Code (Text):

 * cmsec: running 5 kernel CVE check(s), please wait...
 * CVE-2026-31431 (almalinux kernel): PATCHED
 * CVE-2026-43284 (almalinux kernel): PATCHED
 * CVE-2026-43500 (almalinux kernel): NOT AFFECTED
 * CVE-2026-46300 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46300" for details
 * CVE-2026-46333 (almalinux kernel): VULNERABLE — run "cmsec check cve-2026-46333" for details

2 additional Linux Kernel security vulnerabilities have been announced which are currently only in AlmaLinux's test Linux Kernel repo until wider release:

Fragnesia (CVE-2026-46300)

• Fragnesia (CVE-2026-46300): Patched kernels available in testing

ssh-keysign-pwn (CVE-2026-46333)

• ssh-keysign-pwn (CVE-2026-46333): Patched kernels available in testing

Example cmsec check runs for new CVEs:

Fragnesia

Code (Text):

cmsec check cve-2026-46300
 * cmsec: running cve-2026-46300 check, please wait...

== CVE ==
CVE-2026-46300 / Fragnesia kernel local privilege escalation checker
Tool version: 0.1-cmsec  Mode: read-only
This is a single CVE covering esp4, esp6, and rxrpc.
The same Dirty Frag mitigation (dirtyfrag.conf) blocks Fragnesia.

== Tool availability ==
rpm: found
dnf: found
grubby: found
modinfo: found
python3: found
systemd-detect-virt: found
kcarectl: not found
nmcli: found

== OS ==
NAME: AlmaLinux
PRETTY_NAME: AlmaLinux 10.1 (Heliotrope Lion)
ID: almalinux
VERSION_ID: 10.1
Kernel track: almalinux

== Container / chroot detection ==
No container marker detected.

== Running kernel ==
6.12.0-124.55.3.el10_1.x86_64

This is the kernel your system is currently running.
This is what determines whether your system is vulnerable or patched right now.
Even if a newer, fixed kernel package is installed, it does not take effect until you reboot.

== Installed kernels ==
kernel-6.12.0-124.43.1.el10_1.x86_64
kernel-6.12.0-124.55.1.el10_1.x86_64
kernel-6.12.0-124.55.3.el10_1.x86_64
kernel-core-6.12.0-124.43.1.el10_1.x86_64
kernel-core-6.12.0-124.55.1.el10_1.x86_64
kernel-core-6.12.0-124.55.3.el10_1.x86_64

== Default boot kernel ==
/boot/vmlinuz-6.12.0-124.55.3.el10_1.x86_64

== Running kernel RPM mapping ==
kernel-core-6.12.0-124.55.3.el10_1.x86_64 (matched via kernel-core package name)

== CVE updateinfo ==

The above lists available security updates that fix this CVE.
If any are shown, your system has a fix available - install updates and reboot to apply.

== Available kernel updates ==
All kernel packages are up to date - no updates available.

== ESP / RxRPC module state ==
esp4:  module-available
esp6:  module-available
rxrpc: absent-or-unknown

All three modules (esp4, esp6, rxrpc) are covered by this single CVE.
Unlike Dirty Frag (which split ESP and RxRPC into separate CVEs),
Fragnesia requires all present modules to be mitigated together.

== Modprobe blacklist mitigation status ==
Mitigation NOT active: no /etc/modprobe.d, /usr/lib/modprobe.d, or /run/modprobe.d file blacklists esp4/esp6/rxrpc.

== IPsec gateway detection ==
No IPsec usage detected (xfrm policies/states empty, no strongswan/libreswan service active, no /etc/ipsec.* files, no NetworkManager VPN profiles).

== Livepatch tooling status ==
KernelCare kcarectl not found
kpatch packages not detected

== Vendor running-kernel assessment ==
Detected OS:     AlmaLinux 10.1 (Heliotrope Lion)
Vendor branch:   AlmaLinux 10
Running kernel:  6.12.0-124.55.3.el10_1
Fixed baseline:  6.12.0-124.56.3.el10_1

RESULT: Your running kernel is OLDER than the fixed version for AlmaLinux 10.
Your system appears VULNERABLE to CVE-2026-46300. Update and reboot as soon as possible.

== Linode/Akamai Cloud kernel assessment ==
No Linode-provided kernel marker detected in uname -r.

== Provider/custom kernel warning ==
No obvious provider/custom kernel marker detected in uname -r.

== Suggested next actions ==
1. UPDATE AND REBOOT (recommended fix):
   Install all available updates and restart the system:
     dnf clean metadata
     dnf --refresh upgrade
     reboot
   If you use CloudLinux/KernelCare/livepatch, also confirm with your vendor that
   their livepatch covers CVE-2026-46300.

2. VERIFY AFTER REBOOT:
   After restarting, confirm the new kernel is running:
     uname -r
   Then re-run this script to verify the system now shows as patched.

3. TEMPORARY WORKAROUND (only if you are NOT using IPsec):
   Block the vulnerable receive paths without updating the kernel:
     printf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n' \\
       > /etc/modprobe.d/dirtyfrag.conf
     rmmod esp4 esp6 rxrpc 2>/dev/null || true
     echo 3 > /proc/sys/vm/drop_caches
   Note: this BREAKS IPsec on hosts that terminate or transit IPsec tunnels.
   Reverse with: rm /etc/modprobe.d/dirtyfrag.conf && modprobe esp4 && modprobe esp6

4. CLEAN UP WORKAROUND (after applying the kernel update):
   Once you have updated to a patched kernel, remove the workaround:
     rm /etc/modprobe.d/dirtyfrag.conf
     modprobe esp4 esp6

5. LINODE/AKAMAI CLOUD USERS:
   If your kernel name contains 'linode', 'dnf upgrade' inside the OS will NOT change the running
   kernel. Linode manages the kernel separately. Watch the Linode Cloud Manager for the Fragnesia
   fix, or switch to GRUB 2 to manage the kernel via dnf.

6. ALMALINUX TESTING REPO (if 'dnf upgrade' reports 'Nothing to do'):
   AlmaLinux promotes kernel security fixes to almalinux-testing before
   the production BaseOS/AppStream repos. If cmsec reports VULNERABLE but
   'dnf --refresh upgrade' shows nothing to install, the fix is likely
   still in testing. To install from testing:
     dnf install -y almalinux-release-testing
     dnf --enablerepo=almalinux-testing --refresh upgrade 'kernel*'
     reboot
   After reboot, optionally disable the testing repo to prevent other
   testing-only packages from upgrading on subsequent dnf runs:
     dnf config-manager --set-disabled almalinux-testing
   See https://almalinux.org/blog/ for promotion-status updates.

== Final status ==
STATUS: vulnerable  CONFIDENCE: high  EXIT: 1

Your system appears to be VULNERABLE to CVE-2026-46300.
Update the kernel and reboot as soon as possible (see suggested actions above).

Recommended actions:
  - Run: dnf clean metadata && dnf --refresh upgrade && reboot

ssh-keysign-pwn

Code (Text):

cmsec check cve-2026-46333
 * cmsec: running cve-2026-46333 check, please wait...

== CVE ==
CVE-2026-46333 / SSH KeySign Pwn kernel local privilege escalation checker
Tool version: 0.1-cmsec  Mode: read-only
Exploit: __ptrace_may_access() skips dumpable check when mm=NULL during exit.
Attack: pidfd_getfd(2) extracts file handles from exiting privileged processes.
Mitigation: kernel.yama.ptrace_scope >= 2

== Tool availability ==
rpm: found
dnf: found
grubby: found
python3: found
systemd-detect-virt: found
kcarectl: not found

== OS ==
NAME: AlmaLinux
PRETTY_NAME: AlmaLinux 10.1 (Heliotrope Lion)
ID: almalinux
VERSION_ID: 10.1
Kernel track: almalinux

== Container / chroot detection ==
No container marker detected.

== Running kernel ==
6.12.0-124.55.3.el10_1.x86_64

This is the kernel your system is currently running.
This is what determines whether your system is vulnerable or patched right now.
Even if a newer, fixed kernel package is installed, it does not take effect until you reboot.

== Installed kernels ==
kernel-6.12.0-124.43.1.el10_1.x86_64
kernel-6.12.0-124.55.1.el10_1.x86_64
kernel-6.12.0-124.55.3.el10_1.x86_64
kernel-core-6.12.0-124.43.1.el10_1.x86_64
kernel-core-6.12.0-124.55.1.el10_1.x86_64
kernel-core-6.12.0-124.55.3.el10_1.x86_64

== Default boot kernel ==
/boot/vmlinuz-6.12.0-124.55.3.el10_1.x86_64

== Running kernel RPM mapping ==
kernel-core-6.12.0-124.55.3.el10_1.x86_64 (matched via kernel-core package name)

== CVE updateinfo ==

The above lists available security updates that fix this CVE.
If any are shown, your system has a fix available - install updates and reboot to apply.

== Available kernel updates ==
All kernel packages are up to date - no updates available.

== Yama LSM / ptrace_scope mitigation status ==
Yama LSM: available (/proc/sys/kernel/yama/ptrace_scope exists)
Current ptrace_scope: 

 

Example of enabling AlmaLinux 10 test Linux Kernel YUM/DNF repository for fixed Linux Kernel versions for Fragnesia (CVE-2026-46300) and ssh-keysign-pwn (CVE-2026-46333) from cmsec check run suggested step if want to access AlmaLinux test Linux Kernel packages.

Code (Text):

6. ALMALINUX TESTING REPO (if 'dnf upgrade' reports 'Nothing to do'):
   AlmaLinux promotes kernel security fixes to almalinux-testing before
   the production BaseOS/AppStream repos. If cmsec reports VULNERABLE but
   'dnf --refresh upgrade' shows nothing to install, the fix is likely
   still in testing. To install from testing:
    dnf install -y almalinux-release-testing
    dnf --enablerepo=almalinux-testing --refresh upgrade 'kernel*'
    reboot
   After reboot, optionally disable the testing repo to prevent other
   testing-only packages from upgrading on subsequent dnf runs:
    dnf config-manager --set-disabled almalinux-testing
   See https://almalinux.org/blog/ for promotion-status updates.

Code (Text):

dnf install -y almalinux-release-testing
Last metadata expiration check: 0:12:02 ago on Sat May 16 05:22:52 2026.
Dependencies resolved.
======================================================================================================================================================================================================================================================
 Package                                                                  Architecture                                          Version                                                   Repository                                             Size
======================================================================================================================================================================================================================================================
Installing:
 almalinux-release-testing                                                x86_64                                                10-2.el10                                                 extras                                                7.4 k

Transaction Summary
======================================================================================================================================================================================================================================================
Install  1 Package

Total download size: 7.4 k
Installed size: 695
Downloading Packages:
almalinux-release-testing-10-2.el10.x86_64.rpm                                                                                                                                                                         12 kB/s | 7.4 kB     00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                 4.9 kB/s | 7.4 kB     00:01  
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                              1/1
  Installing       : almalinux-release-testing-10-2.el10.x86_64                                                                                                                                                                                   1/1

Installed:
  almalinux-release-testing-10-2.el10.x86_64                                                                                                                                                                                                      

Complete!

Code (Text):

dnf --enablerepo=almalinux-testing --refresh upgrade 'kernel*'
Extra Packages for Enterprise Linux 10 - x86_64                                                                                                                                                                       5.6 kB/s | 3.5 kB     00:00
AlmaLinux 10 - AppStream                                                                                                                                                                                              4.8 kB/s | 3.8 kB     00:00
AlmaLinux 10 - BaseOS                                                                                                                                                                                                 5.2 kB/s | 3.8 kB     00:00
AlmaLinux 10 - CRB                                                                                                                                                                                                    4.8 kB/s | 3.8 kB     00:00
AlmaLinux 10 - Extras                                                                                                                                                                                                 4.5 kB/s | 3.3 kB     00:00
AlmaLinux 10 - Testing                                                                                                                                                                                                4.4 MB/s |  12 MB     00:02
MariaDB                                                                                                                                                                                                               1.7 kB/s | 3.5 kB     00:02
Percona Release release/noarch YUM repository                                                                                                                                                                          10 kB/s | 3.0 kB     00:00
Percona Telemetry release/x86_64 YUM repository                                                                                                                                                                        12 kB/s | 3.0 kB     00:00
Remi's Modular repository for Enterprise Linux 10 - x86_64                                                                                                                                                            4.4 kB/s | 3.5 kB     00:00
Dependencies resolved.
======================================================================================================================================================================================================================================================
 Package                                                              Architecture                                   Version                                                          Repository                                                 Size
======================================================================================================================================================================================================================================================
Installing:
 kernel                                                               x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         1.4 M
 kernel-core                                                          x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                          18 M
 kernel-devel                                                         x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                          19 M
 kernel-modules                                                       x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                          41 M
 kernel-modules-core                                                  x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                          30 M
 kernel-modules-extra                                                 x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         2.8 M
Upgrading:
 kernel-headers                                                       x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         3.0 M
 kernel-modules-extra-matched                                         x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         1.4 M
 kernel-tools                                                         x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         1.9 M
 kernel-tools-libs                                                    x86_64                                         6.12.0-124.56.5.el10_1                                           almalinux-testing                                         1.4 M
Removing:
 kernel                                                               x86_64                                         6.12.0-124.43.1.el10_1                                           @baseos                                                     0
 kernel-core                                                          x86_64                                         6.12.0-124.43.1.el10_1                                           @baseos                                                    69 M
 kernel-devel                                                         x86_64                                         6.12.0-124.43.1.el10_1                                           @appstream                                                 74 M
 kernel-modules                                                       x86_64                                         6.12.0-124.43.1.el10_1                                           @baseos                                                    39 M
 kernel-modules-core                                                  x86_64                                         6.12.0-124.43.1.el10_1                                           @baseos                                                    27 M
 kernel-modules-extra                                                 x86_64                                         6.12.0-124.43.1.el10_1                                           @baseos                                                   1.3 M

Transaction Summary
======================================================================================================================================================================================================================================================
Install  6 Packages
Upgrade  4 Packages
Remove   6 Packages

Total download size: 120 M
Is this ok [y/N]: 

After installing updated Linux Kernel YUM packages reboot server and on first SSH login you'll now see:

Code (Text):

 * cmsec: running 5 kernel CVE check(s), please wait...
 * CVE-2026-31431 (almalinux kernel): PATCHED
 * CVE-2026-43284 (almalinux kernel): PATCHED
 * CVE-2026-43500 (almalinux kernel): NOT AFFECTED
 * CVE-2026-46300 (almalinux kernel): PATCHED
 * CVE-2026-46333 (almalinux kernel): PATCHED