Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN453 _____________________________________________________________________ DATE : 04/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Tanzu Kubernetes Runtime, VMware Tanzu Application Service VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Platform VMware Tanzu Platform - Cloud Foundry VMware Tanzu Platform Core VMware Tanzu Platform - Kubernetes Vmware Tanzu Platform - SM. ===================================================================== https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37431 _____________________________________________________________________ Tanzu Security Advisory CVE-2026-341431 Product/Component Tanzu Kubernetes Runtime VMware Tanzu Application Service VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Platform VMware Tanzu Platform - Cloud Foundry VMware Tanzu Platform Core VMware Tanzu Platform - Kubernetes Vmware Tanzu Platform - SM Notification Id 37431 Last Updated 01 May 2026 Initial Publication Date 01 May 2026 Status OPEN Severity HIGH CVSS Base Score 7.8 WorkAround Affected CVE CVE-2026-31431 Severity: High CVSSv3 Range: 7.8 CVSSv3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Issue Date: 2026-05-01 Updated on: 2026-05-01 CVE(s) CVE-2026-31431 Synopsis A local privilege escalation (LPE) vulnerability affecting the Linux kernel was publicly disclosed on April 29, 2026. The vulnerability has been assigned CVE ID CVE-2026-31431 and is referred to as Copy Fail. The affected component is a kernel module that provides hardware-accelerated cryptographic functions: algif_aead. The vulnerability affects all Tanzu Jammy Stemcells releases before 1.1193. Impact This is a local system vulnerability only impacting jammy-stemcells and linux systems. It requires access to a running system and can not be exploited remotely across a network. The diego cell garden runtime, as documented in the Container Security in VMware Tanzu Platform white paper and container security documentation was assessed by the Tanzu Platform team who reviewed the garden overlay fs file system for cflinuxfs and determined that running VMs are vulnerable to the exploit. Due to the userspace configuration of the garden runtime the inode mapping between the running container is not the same as the underlying VM, so while the exploit works in a container, it is not actually “root” on the VM and does not have access to the VM outside of the container. Because all running containers share the same file system there is a possibility that an application would have a possible attack against other containers. There are still other container segmentations as outlined in the white paper so while it is possible it would still be difficult. Tanzu Security Risk Reduction This vulnerability is a Local Privilege Escalation (LPE) in the Linux kernel (crypto: algif_aead). To exploit this vulnerability, an attacker requires local access and low-level privileges (AV:L, PR:L). Within the Tanzu Platform architecture, the primary "entry doors" where unprivileged users can execute arbitrary code are the components responsible for staging and running application containers is extremely limited and controlled through the Tanzu Platform. Mitigation via Bounded Contexts: Components like cflinuxfs4-release (the application rootfs) and the offline buildpacks see their scores reduced (from 7.8 to 6.6) from a Tanzu risk perspective. While these are entry doors that execute untrusted code (e.g., during the build/staging phase or as the base filesystem), the CVSS context indicates that within the restricted boundaries of a single container, an Unchanged Scope (MS:U) and Low Confidentiality Impact (MC:L) limit the broader risk if the vulnerability is not chained with a further escape. Tanzu CVSS v3.1 score: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:L/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:X/MA:X CVSS Base Score: 7.8 Impact Subscore: 5.9 Exploitability Subscore: 1.8 CVSS Temporal Score: 7.2 CVSS Environmental Score: 7.2 Modified Impact Subscore: 5.9 Overall CVSS Score: 7.2 Tanzu Jammy Stemcell Versions Affected All versions before 1.1193 Upstream Advisory: Copy Fail Copy Fail: 732 Bytes to Root on Every Major Linux Distribution Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions Mitigation Update to stemcell 1.1193 If you need a temporary mitigation until you can upgrade the stemcell, the kernel module algif_aead can be removed following the steps below which removes this functionality. There is a kernel patch expected that will supersede this change in the coming weeks. The mitigation disables a kernel module that is used for hardware-accelerated cryptography. Applications should gracefully fallback to userspace cryptographic functions, but there is a risk that some do not have this functionality. Temporary Mitigation bosh -d ssh -c 'echo "install algif_aead /bin/false" > /tmp/disable-algif.conf && sudo su -c "cp /tmp/disable-algif.conf /etc/modprobe.d/disable-algif.conf; rmmod algif_aead || echo Skipping unload module"' This persists the change through reboots, but a reboot is not necessary because the module is removed in this command. History 2026-05-01: Initial vulnerability report published. 2026-05-01: Updated with updated temporary mitigation Contact E-mail: tanzu.psirt@broadcom.com VMware Tanzu Security Advisories https://tanzu.vmware.com/security ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================