This walkthrough is for CloudLinux WHM/cPanel servers, especially shared hosting nodes where many customers run code on the same kernel. That multi-tenant setup is exactly why CVE-2026-31431 Copy Fail deserves attention even though it is local privilege escalation rather than standalone remote code execution.
The job has two halves: patch WHM/cPanel for CVE-2026-41940, then patch or livepatch the CloudLinux kernel for Copy Fail.
Identify The Server
cat /etc/cloudlinux-release || cat /etc/os-release
/usr/local/cpanel/cpanel -V
uname -r
kcarectl --info 2>/dev/null || true
df -h / /boot /usr/local/cpanel
If this is CloudLinux 7, be extra careful with cPanel tiering. cPanel’s current CloudLinux requirements warn that CloudLinux 7 is old, and cPanel’s CVE advisory says CentOS 7 or CloudLinux 7 servers may need to be set to the 11.110 tier.
Step 1: Update cPanel And WHM
# CloudLinux 7 only, when the server needs the 11.110 tier:
whmapi1 set_tier tier=11.110
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard
For supported newer CloudLinux versions, the normal `/scripts/upcp –force` path should bring cPanel to a patched build. If updates are disabled, pinned, or blocked by licensing, fix that first.
Step 2: If You Have KernelCare
KernelCare can patch a running CloudLinux kernel without a reboot when coverage is available for the running kernel. Apply the livepatch and verify that CVE-2026-31431 appears in the patch information.
kcarectl --update
kcarectl --patch-info | grep CVE-2026-31431
If kcarectl --update says there are no updates for this kernel, or the grep command returns nothing, continue with the OS kernel update path below. Do not assume “KernelCare is installed” means this CVE is covered on that exact kernel.
Step 3: Without KernelCare, Update By CloudLinux Version
CloudLinux 7 Hybrid uses a different testing repository path than CloudLinux 8. CloudLinux 9 and 10 use DNF for the kernel update path.
# CloudLinux 7 Hybrid
yum clean all
yum --enablerepo=cl7h_beta update 'kernel*'
# CloudLinux 8
yum clean all
yum --enablerepo=cloudlinux-updates-testing update 'kernel*'
# CloudLinux 9 or CloudLinux 10
dnf clean metadata
dnf update kernel
Reboot after the kernel update unless KernelCare confirmed livepatch coverage.
reboot
Step 4: Verify Kernel, cPanel, And CloudLinux Services
uname -r
/usr/local/cpanel/cpanel -V
systemctl status cpanel --no-pager
/scripts/restartsrv_cpsrvd --status
cagefsctl --remount-all 2>/dev/null || true
cagefsctl --force-update 2>/dev/null || true
systemctl status lvestats --no-pager 2>/dev/null || true
cPanel’s Copy Fail note listed fixed CloudLinux baselines of `kernel-4.18.0-553.121.1.lve.el7h` for CloudLinux 7 Hybrid, `kernel-4.18.0-553.121.1.lve.el8` for CloudLinux 8, `kernel-5.14.0-611.49.2.el9_7` for CloudLinux 9, and `kernel-6.12.0-124.52.2.el10_1` for CloudLinux 10. Newer vendor kernels are fine.
Step 5: Run The cPanel IOC Check
For CVE-2026-41940, use cPanel’s current official indicator-check guidance from the advisory. Review the script before running it and keep the output private for incident response.
- Open the official cPanel advisory.
- Download the current indicator-check script from cPanel.
- Review it locally before use.
- Run it as root during a maintenance or incident-response window.
- Keep findings private and rotate credentials if indicators are found.
If indicators show up, assume the hosting node may be compromised. Rotate root and WHM credentials, review WHM access logs, inspect customer accounts for suspicious PHP files, check cron, and notify affected customers if the investigation confirms exposure.
Emergency Mitigation
If cPanel cannot be patched immediately, disable service subdomains and stop exposed cPanel services until a supported update path is ready.
whmapi1 set_tweaksetting key=proxysubdomains value=0
/scripts/proxydomains remove
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0
whmapi1 configureservice service=cpdavd enabled=0 monitored=0
/scripts/restartsrv_cpsrvd --stop
/scripts/restartsrv_cpdavd --stop