CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact.
Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu. See the release notes for details:
We recommend upgrading your cluster and node pools to one of these versions (or newer builds that list the same security fix) as soon as your change window allows. Use tcloud kubernetes versions to confirm availability in your organisation, then upgrade node pools so worker nodes actually run the patched image.
Clusters that already have a scheduled upgrade configuration will apply these updates automatically during their next maintenance window. If you do not use scheduled upgrades, you can start an upgrade from the Console, API, Terraform, or tcloud whenever you are ready.
Canonical tracks the issue as CVE-2026-31431; additional context and vendor guidance is available in Ubuntu’s Copy Fail advisory.
Thalassa Cloud
