| Openvz7 and CVE-2026-31431 (Copy Fail) vulnerability [message #53889] |
Fri, 01 May 2026 06:25  |
nathan.brownrice
Messages: 16
Registered: August 2020
|
Junior Member |
|
|
Hey guys! Has anyone been able to confirm if Openvz7 on the latest kernel is vulnerable to CVE-2026-31431 (Copy Fail)? Im trying to confirm whether my hosts are actually vulnerable.
Kernel:
3.10.0-1160.119.1.vz7.224.4
Research:
Since Openvz7 is based off the RHEL7, which is not vulnerable to this, I think we're in the clear: https://access.redhat.com/security/cve/cve-2026-31431
The code that introduced this bug was added to the Linux kernel in 2017 (commit 72548b093ee3). Because the RHEL 7 kernel (and OpenVZ 7 kernel) is based on the 3.10 branch from 2013, it does not contain the 2017 "performance optimization" that created the security hole introduced in kernel 4.14.
Proof:
algif_aead is not present:
modprobe -n -v algif_aead
modprobe: FATAL: Module algif_aead not found.
af_alg not loaded:
Results in no output.
There are no related modules in /lib/modules and CONFIG_CRYPTO_USER_API_AEAD appears unset.
What have you guys found? Any official Virtuozzo guidance or patched kernel version yet? I'd like a sanity check that we're in the clear before I celebrate.
Thanks,
|
|
|
|
| Re: Openvz7 and CVE-2026-31431 (Copy Fail) vulnerability [message #53890 is a reply to message #53889] |
Sat, 02 May 2026 03:16  |
dmc_dtc
Messages: 16
Registered: May 2014
Location: Serbia
|
Junior Member |
|
|
OpenVZ User here, did same analysis today as you, came to the same conclusion, i am sure that we are home free on this one.
Unfortunate problem is that, if some day in the future there is some RCE or serious kernel bug, we are stuck with this kernel from 2024 ... I am actively migrating from OpenVZ since it seems dead anyways. Though my guest systems are alma 8 9 and 10 and up 2 date, we are stuck with this old kernel, If they would only support kernel i could go along for few more years, at last if they would fix these kinds of serious bugs.
I was tempted to try to patch some newer kernels myself or use ones from never OpenVZ just why waste time.
That being said, thanks to the OpenVZ community and devels while it lasted, it was the easist and best solution for containers, Now i use KVM for new systems, and for older VZ containers i've ported (easily) to systemd-nspawnd (i used simfs so migration was easy - just copying the files).. i managed to successfully migrate few of openVZ containers just for fun and it works great, but we dont have all capabilities maybe as OpenVZ had, but for now KVM is best solution for me going forward, so i dont worry about host kernel vulnerabilities.
If OpenVZ ever continues i will be happy to reconsider.
Sorry for off topic
>> dmc / dtc <<
[Updated on: Sat, 02 May 2026 03:21] Report message to a moderator |
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
