This guide is for WHM/cPanel servers running Ubuntu 24.04 LTS. cPanel’s current Ubuntu requirements list Ubuntu 24.04 LTS as the supported Ubuntu version, so do not use this as a generic Ubuntu 20.04 or 22.04 cPanel guide unless your cPanel branch and vendor support contract explicitly say otherwise.
The fix path is simple but has to be done in the right order: update cPanel for CVE-2026-41940, update Ubuntu packages and the kernel for CVE-2026-31431 Copy Fail, reboot, then verify.
Confirm The Server
cat /etc/os-release
/usr/local/cpanel/cpanel -V
uname -r
df -h / /boot /usr/local/cpanel
systemctl get-default
cPanel supports AppArmor on Ubuntu and does not require you to disable it. SELinux should not be installed for cPanel on Ubuntu.
Step 1: Patch cPanel And WHM
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard
If the cPanel update fails, do not move on and call the server done. CVE-2026-41940 is in the cPanel software layer, not the Ubuntu kernel.
Step 2: Patch Ubuntu Packages And Kernel
Copy Fail is a kernel issue. cPanel notes that Ubuntu should be patched by updating to the latest kernel. Start with the normal package update flow.
apt update
apt list --upgradable
DEBIAN_FRONTEND=noninteractive apt upgrade
If your server tracks the generic Ubuntu kernel packages, make sure the kernel image and headers are upgraded.
apt install --only-upgrade linux-image-generic linux-headers-generic
reboot
Step 3: Verify After Reboot
uname -r
dpkg -l 'linux-image*' | grep '^ii'
/usr/local/cpanel/cpanel -V
systemctl status cpanel --no-pager
/scripts/restartsrv_cpsrvd --status
If you run a provider-specific kernel, check Ubuntu’s CVE tracker and your provider’s release notes for the exact fixed package. The important part is not just that `apt upgrade` ran. The server must be running a kernel that includes the Copy Fail fix.
Step 4: Run The cPanel IOC Check
For the cPanel authentication bypass, use cPanel’s official detection script from the advisory. Save the current version, review it, and run it as root.
vi /root/ioc_checksessions_files.sh
chmod 700 /root/ioc_checksessions_files.sh
bash /root/ioc_checksessions_files.sh --verbose
Temporary Mitigation If A Kernel Fix Is Not Available
If Ubuntu packages are not available from your vendor yet, prefer the vendor’s official mitigation. If you must disable the affected init path temporarily, back up GRUB first and add the `initcall_blacklist` boot argument. Remove this once a fixed kernel is installed.
cp /etc/default/grub /root/grub.$(date +%F).bak
grep -q 'initcall_blacklist=algif_aead_init' /etc/default/grub ||
sed -i 's/^(GRUB_CMDLINE_LINUX=")/1initcall_blacklist=algif_aead_init /' /etc/default/grub
update-grub
reboot
To remove the temporary mitigation after a fixed kernel is installed, restore the GRUB backup or remove the argument and run `update-grub` again.
If This Is Ubuntu 22.04
Do not assume a modern cPanel update path exists. cPanel’s current Ubuntu system requirements list Ubuntu 24.04 LTS. If you still have an older Ubuntu cPanel host, treat it as a migration project: build a supported cPanel server, transfer accounts, lower DNS TTLs, and retire the old node.
