There are two major vulnerabilities reported which needs yoyr immediate attention to avoid system compromise. Please note these are OS level and Control Panel level security holes, they should be patched manually based on the provider’s instructions and cannot be patched via any web security suite available, including cPGuard.

CVE-2026-41940: cPanel & WHM Authentication Bypass

CVSS Score: 9.8 (Critical)

Affected Products: cPanel & WHM (versions after 11.40) and WP Squared.

Vulnerability Type: Missing Authentication for Critical Function / CRLF Injection.

Description: An unauthenticated, remote attacker can bypass authentication to gain full administrative (root) access to the cPanel host system, its configurations, databases, and managed websites. The flaw exists in the login and session loading processes; attackers can use a Carriage Return Line Feed (CRLF) injection via a malicious basic authorization header to manipulate the whostmgrsession cookie. This allows them to write arbitrary properties (e.g., user=root) directly into the session file.

Active Exploitation: Yes, actively exploited in the wild.

Fix / Remediation:

Primary: Immediately update cPanel & WHM and WP Squared to the latest patched versions provided by the vendor.

Post-Patching Actions: Purge affected sessions, force password resets for root and WHM users, and check for persistence mechanisms.

Workaround: If immediate patching isn’t possible, block inbound TCP traffic on ports 2083, 2087, 2095, and 2096, or temporarily stop the affected services.

CVE-2026-31431: “Copy Fail” Linux Kernel LPE

 CVSS Score: 7.8 (High)

Affected Products: The Linux Kernel (affecting virtually all major distributions since 2017, including Ubuntu, RHEL, Amazon Linux, and SUSE).

Vulnerability Type: Local Privilege Escalation (LPE).

Description: Nicknamed “Copy Fail,” this is a logic flaw in the kernel’s algif_aead userspace cryptographic interface. It allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on a Linux system. By modifying the cached memory of a setuid binary (like /usr/bin/su), an attacker can gain root access in seconds. Unlike “Dirty Pipe,” it does not require winning a race condition and is highly reliable. It poses a severe risk to shared-kernel multi-tenant environments, CI/CD runners, and Kubernetes nodes.

Active Exploitation: Public proof-of-concept (PoC) exploits are widely available and highly effective.

Fix / Remediation:

Primary: Apply the latest kernel security updates provided by your Linux distribution. The patch series reverts the flawed 2017 in-place optimization (ending with commit fafe0fa2995a).

Manual Patching: Do the following steps for the respective OS manually to offload the affected module.

For Ubuntu and Debian systems, the following prevents the vulnerable module from loading into memory.

Disable the module from future loads

Unload the module if it is currently active

rmmod algif_aead

Given below is recommended for CloudLinux, AlmaLinux, and RHEL

Apply the recommended mitigation via grubby

Reboot the server to apply the changes

reboot