Vulnerability Identifier: NR26-05
Priority: High
Summary
We are issuing this bulletin to inform you of a critical security vulnerability, CVE-2026-31431 ("Copy Fail"), which affects the Linux kernel. This is a local privilege escalation vulnerability present in Linux kernels released between 2017 and April 2026. If exploited, any local process on an unpatched host can gain full root access.
Impact on Synthetics Customers
This vulnerability impacts customers utilizing both Public and Private Synthetics locations.
- Public Locations: New Relic is actively managing the remediation for all Public locations. No action is required on your part for these environments.
- Private Locations: It is important to note that the New Relic Synthetics Job Manager (SJM) and the runtime containers themselves are not the source of the vulnerability; however, the host they are running on may be at risk.
Action required
If you are running Private Synthetics Locations on Linux, please take action:
Step 1: Check Your Vulnerability Status
1.1 Identify your current kernel version.
$# check your kernel version$uname -r1.2 Check your Linux distribution's security advisory and compare your kernel version against your vendor's CVE-2026-31431 security bulletin:
Example:
- Amazon Linux: https://explore.alas.aws.amazon.com/CVE-2026-31431.html
- Ubuntu: https://ubuntu.com/security/CVE-2026-31431
- RHEL: https://access.redhat.com/security/cve/cve-2026-31431
1.3: Determine patch status
- If advisory shows "Fixed" or "Patched": A kernel update is available. Update your kernel with patch.
- If the advisory shows "Pending" or no information: No patch is currently available. Follow manual mitigation steps below and monitor the advisory for updates.
- If your kernel version matches or exceeds the patched version listed: Your kernel is already patched.
Step 2: Mitigation & Patching
If your host is identified as vulnerable, take action based on patch availability:
Option A: Apply OS Patch (Recommended)
Check your Linux distribution's official security advisories for a kernel patch addressing CVE-2026-31431. If available, update your host kernel and reboot the system.
Option B: Manual Mitigation (If no patch is available)
If a patch has not yet been released for your distribution, you can manually disable the vulnerable module by executing the following as root: (This provides equivalent protection until you can schedule patching)
$# Switch to root user$sudo su$# Disable the vulnerable module$echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf$# Unload the module (if currently loaded)$rmmod algif_aead$# Verify mitigation$lsmod | grep algif_aead$# Should show no outputFrequently Asked Questions
Do I need to update SJM or runtime containers?
No. This is a host kernel vulnerability. No changes to SJM, runtimes, or container images are required.
Will this affect my Synthetics monitors?
No, Synthetics monitors will continue to run normally after mitigation or patching.
Can this be exploited remotely?
No. An attacker needs local access to your host. However, once they have local access, they can gain root access.
Do I need to reboot to apply the mitigation?
No. The mitigation takes effect immediately. Kernel patching does require a reboot.
How do I know if my distribution has released a patch?
Check your Linux distribution's security advisories like the below:
What if I can't patch immediately?
Apply the mitigation steps mentioned above. This provides equivalent protection until you can schedule patching.
Technical vulnerability information
Publication History
May 8, 2026 - NR26-05 Published