Track upstream CVE-2026-31431 'Copy Fail' fixes for RHEL 8 / kernel-rt / RHCOS

[rdwj]

Context

Red Hat Security Bulletin RHSB-2026-02 / CVE-2026-31431 (CVSS 7.8 Important, CWE-1288) is a Linux kernel algif_aead in-place operation flaw allowing local privilege escalation via an unprivileged AF_ALG socket + splice() chain ("Copy Fail"). In containerized environments the shared host page cache enables pod-to-node escape.

Workload-side defense-in-depth and host-side documentation landed in:

• c085dc0 — seccomp: block splice and socket() (which denies AF_ALG) at both subprocess BPF and container SeccompProfile layers
• 6c8a60a — chart/README.md host requirements + Red Hat product status table
• 1151cf4 — chart/policies/copy-fail-mitigation-policy.yaml from Red Hat solution 7142032

What this issue tracks

Items we deliberately deferred because they depend on Red Hat shipping errata:

Red Hat product status as of 2026-05-04

Product	Component	State	Errata
RHEL 9	kernel	Fixed	RHSA-2026:13565
RHEL 9	kernel-rt	Affected	none
RHEL 8	kernel	Affected	none
RHEL 8	kernel-rt	Affected	none
RHEL 10	kernel	Affected	none
OpenShift Container Platform 4	rhcos	Affected	none

Follow-ups once errata ship

• RHEL 8 kernel errata published → update chart/README.md table.
• RHEL 9 kernel-rt errata published → update table.
• RHEL 10 kernel errata published → update table.
• RHCOS errata published → update table; reassess whether the boot-arg mitigation in chart/policies/copy-fail-mitigation-policy.yaml is still recommended for fleets that have rolled the new RHCOS, or whether the file should be retained only as historical reference.
• Once all RHCOS streams we support are patched, consider whether the splice block in the workload-level SeccompProfile is still load-bearing or can be loosened. The subprocess BPF block stays regardless.

Optional, separate follow-up

• Preflight initContainer that reads /proc/cmdline and refuses to start when the host kernel is unpatched and initcall_blacklist=algif_aead_init is absent. Deferred because it can race node config drift; tracked here so the conversation is not lost.

References

• Bulletin: https://access.redhat.com/security/vulnerabilities/RHSB-2026-02
• CVE: https://access.redhat.com/security/cve/cve-2026-31431
• RHEL solution: https://access.redhat.com/solutions/7141931
• OpenShift solution: https://access.redhat.com/solutions/7141979
• ROSA / OSD article: https://access.redhat.com/articles/7141989
• ARO solution: https://access.redhat.com/solutions/7141990
• ACM Governance Policy: https://access.redhat.com/solutions/7142032