Copy Fail - CVE-2026-31431 and FreePBX

tmittelstaedt · May 1, 2026, 5:18am

The intent of this post is to cover some basic security precautions that should be followed with PBXs that will minimize exposure to vulnerabilities. I am not writing this for those of you who are experienced and have been running FreePBX for years. This is for those new to FreePBX. Right now the social media AND the national news cycle are going bananas over this vulnerability because of the seriousness and the fact it’s been there in the Linux kernel for a decade, and that it’s so easy to exploit. The usual parties - shills funded by commercial software houses - usually, are stirring the pot with their “this is why open source software is bad” narratives, and there is a LOT of repeated information that really doesn’t tell anyone, anything.

FreePBX 17 at the current time of this writing requires Debian 12. Debian 12 is currently vulnerable to this security hole. Thus, any FreePBX is vulnerable. Period. See the following:

CVE-2026-31431

Note that this is being worked on as I write this. It may be fixed tomorrow. Or a week from now.

Note that Ubuntu Linux is derived from Debian but it’s not a simple modified Debian distribution, basically Ubuntu and Debian are braided together. And Ubuntu is big. I mean, REALLY BIG. It’s the largest Linux distro out there. What is going on in Ubuntu-land goes hand in hand with Debian-land and right now Ubuntu is a madhouse. It’s so bad in fact that the ubuntu.com website went off the Internet today, it is offline right now as I write this.

All of this was intentional. The security researcher who found this hole wasn’t working alone. He’s part of a startup company that is trying to make a name for itself by smashing big giant plate glass windows. This company setup a special vanity domain to boast about this:

Copy Fail — CVE-2026-31431

And more importantly - they are PROMISING more to come, more windows will be smashed. This is detailed here:

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. - Xint

The quote is:

“…The scan also identified other high severity vulnerabilities, including another privilege escalation bug. These other bugs are still in the responsible disclosure process…”

So this isn’t going to be the first go around. This company is going to continue dribbling out these vulnerabilities, and engineering them as Zero-Days, to send the news feeds a-twitter. It’s pure advertising for them and they don’t really care how many people they screw over doing it. The responsible thing would have been to package ALL vulnerabilities they found into one omnibus kernel patch and be done with it. But that isn’t going to get the best advertising for them.

All of this means that it’s incumbent on anyone setting up a FreePBX system to really focus on doing it in a secure manner because the really bad actors - Russian Mafia, etc. - are working on exploits right now. These idiots at Xinit Code are laying out how they are going about what they are doing, and giving deep pocket dictatorships and organized crime a roadmap to do the same thing.

So how do you secure against this? Well, that is the point of this post! Here are MY guidelines for doing it. Hopefully more experienced members here on this forum will add theirs.

Don’t setup a FreePBX system with an unrestricted SIP port that any phone on any network on the Internet can register into. Yes I know you have dreams of making a million dollars selling Cloud PBXes. So do a ton of other people almost all of them could do it better than you. Just please - let go the dream.
use network access lists on your firewall/border gateway router to restrict incoming traffic to your PBX system to specific IPs. If you subscribe to a SIP provider on the Internet, great. Make them give you their source IPs for their trunks.
For “roaming” softphones use a VPN. You can run a VPN client on your cell phone, on your laptop, on your tablet, and VPN into a VPN server on your network. Then you can run your softphone and register into your PBX and go to town.
Do not expose the FreePBX webserver to ANY remote IP address other than the subnet you configure it from. Set the Require IP directives in /etc/apache2/sites-available/freepbx.conf
FreePBX should NOT be run on a “shared” server. Yes, the FreePBX system is a webserver. Yes you can setup multiple sites on it. But you are just expanding the attack surface.
This vulnerability is going to be most useful to a remote attacker in conjunction with other exploits so the more stuff you put on the PBX server the more potential stuff that can get exploited will be on it.
Don’t go off-script. Unless you know what you are doing, don’t compile your own Asterisk, don’t use chan_sip, don’t try to beat FreePBX into some Arm-based thing you bought for $10 off AliBaba, or some Piece of Garbage antique laptop that everyone in your family threw in the garbage that you “rescued” Use a standard desktop, with a hard disk, with a real ethernet port, and a real keyboard mouse and monitor.
Virtualizing a PBX while it brings lots of benefits, (and it’s what I do, incidentally) is advanced stuff.
Sticking a PBX into a cloud virtual server is also advanced stuff. Incidentally one of the big threats that Xinit is making is “It is a container escape primitive and a Kubernetes node compromise vector” In other words, they are saying someone could use a variant of this to break out of some Amazon Web Services virtual image and trash 10,000 AWS VMs.

Anyway, there you go - the basics! Have phun!

tmittelstaedt · May 3, 2026, 10:50pm

An update on this. Debian has updated its “bookworm” kernel to 6.1.170-1 which has fixed this vulnerability.

A brand new installation of Debian 12 from any Debian 12 install media you may have downloaded will run an apt full-upgrade as part of the installation and download and install the fixed kernel.

david55 · May 3, 2026, 11:10pm

They don’t seem to have pushed the binaries out to their repository servers yet, at least not for amd64. The status page is for the source code. Binary is still at 6.1.0.45.

[This seems to have been a confusion about how Debian handle version numbers for kernel packages, see below.]

On the other hand, it is Local Privilege Elevation vulnerability and most people have Asterisk configuration owned by the account under which it runs, so you are already in big trouble if someone is in a position to exploit it, assuming they gained access through Asterisk.

tmittelstaedt · May 4, 2026, 4:54am

DAHDI also has not been rebuilt by Sangoma yet for the new kernel, which will be a serious problem since the Debian 12 installer does not seem to have an option to bypass the kernel update, assuming you use it.

tmittelstaedt · May 4, 2026, 5:02am

I noticed that.

I just ran a Debian 12 install earlier and it did install the 170 kernel.

tedm@phoney:~$ uname -a
Linux phoney 6.1.0-45-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.170-1 (2026-04-30) x86_64 GNU/Linux
tedm@phoney:~$

Maybe they have no intention of updating the binaries?

penguinpbx · May 4, 2026, 2:58pm

That is a longer QA cycle. Users installing with the FreePBX v17 shell script with the DAHDI option – or the corollary FreePBX v17 ISO using INT, PUB, or UPG spice levels, which wrap up that shell installer with the DAHDI option – are locked into kernels that were manually internally QA’d with many, many different interface cards.

Related, there were a bunch of kernel compatibility and other updates recently committed into DAHDI, so further assistance manually building, testing and opening issues with the latest kernel patches that address this particular CVE would be much appreciated (especially on other distros):

david55 · May 7, 2026, 12:05am

It seems Debian have a funny numbering systems for kernels. They have a package name, with what looks like a version number, but is not the package version number.

I think 6.1.170-1 is the fixed version, and I haven’t noticed any kernel updates since I wrote the above, so I think it was fixed, then.

shahin · May 7, 2026, 10:36am

Yes i can see that version.
http://deb.debian.org/debian-security`` bookworm-security/main amd64 linux-image-amd64 amd64 6.1.170-1 [1,480 B]

cyberco · May 8, 2026, 1:16am

Useful info on testing vulnerability and immediate mitigation is at , mitigation is needed on new fpbx 17 boxes while waiting for kernel upgrade

github.com/haydenjames/CVE-2026-31431-check

cve-2026-31431.sh

main

#!/bin/bash
# cve-2026-31431.sh
# Quick check for the algif_aead local root vuln. Safe to run anywhere,
# doesn't run exploit code, just inspects kernel config and module state.
#
# Usage:
#   ./cve-2026-31431.sh           # full report
#   ./cve-2026-31431.sh -q        # one-line summary (good for fleet runs)
#   ./cve-2026-31431.sh -h        # help
#
# Exit: 0 ok, 1 vulnerable, 2 unknown

set -u

QUIET=0
case "${1:-}" in
    -q|--quiet) QUIET=1 ;;
    -h|--help)
        sed -n '2,11p' "$0" | sed 's/^# \?//'
        exit 0

This file has been truncated. show original

hecatae · May 8, 2026, 9:24am

Dirty Frag, incoming:

gregarican · May 8, 2026, 11:30am

Splendid. Quick question. Looking at these LPE exploits through the lens of FPBX, if your FPBX server only has whitelisted external access for company LAN’s and SIP trunking providers (all else cannot connect), then the severity is a little lessened, correct? Figure the Internet at-large doesn’t have SSH access or access any of the web endpoints.

kierknoby · May 8, 2026, 11:48am

It’s a local privilege escalation. The exploit needs someone already on the box as an unprivileged user. If you run FreePBX behind a firewall, with shell access locked down, you’re not the target. However, if your LAN gets breached, or a FreePBX module has a vulnerability of its own, you have a problem. This is why a migration to v17 needs to be done sooner rather than later.

hecatae · May 8, 2026, 11:50am

agreed, another one is here:

I’m not sure many people will be affected unless they have created local user accounts for people to retrieve CDRS etc over SFTP for example.

FreePBX v16 is definitely proving to be out of date though.

BlazeStudios · May 8, 2026, 12:00pm

No, it doesn’t lessen the severity of the exploit. It helps you mitigate the exploit. As well, having things locked down at the firewall doesn’t mean it makes you 100% safe from things either. Now I got laughed at in another forum when I brought this up.

It doesn’t matter how secure your firewall is or that you have a secure and encrypted VPN if you’re not securing the weakest point of the chain you are still exposed. The weakest point in the chain is all the endpoints that connect to your secured network and VPN. If a PC is infected with malware or other bad code/apps then your security is moot since that security is for protecting against outside attacks.

Human engineering is now the most used and preferred way to get into secured networks because people tend to forget to protect their own devices. Their phones, tablets, PCs, laptops, etc.. Connecting unprotected devices/endpoints to your network exposes you to all sort of nasty things that can happen.

Also there are things like InfoStealer (which got 16 Billion creds/configs between June 2024 and June 2025) and things like InfoStealer just don’t take your credentials, they take the entire configs/setup to mimic you. So you got that secured Tailscale VPN running but one of PCs using Tailscale for remote connections has InfoStealer on it…InfoStealer is going to get the public and private key pairs on your system and the details to connect to the VPN. Next thing they are connecting to your VPN with a trusted key pair.

So having a secured firewall, locked down network, secure and encrypted VPN does make your network safer and more secure but the moment Jane from accounting fires up her PC infected with the malware Jane installed last night by clicking a link she didn’t understand the entire network is now compromised as that malware moves through it.

gregarican · May 8, 2026, 12:14pm

Very true and wise words. And overconfidence in the security environment can lead to complacency. Which is also a fail point for sure. Always best to be pessimistic and paranoid when it comes to security. The people between the keyboards and the chairs are usually the weak point.

Thinking back a few steps, when you consider how many Linux-based devices might be on internal networks, this would be a big deal if Jane from accounting was to fall for something. SIP desk phones, ATA’s, switches, IAD’s, RFID readers, etc. For any devices left with the factory default admin password in place (always a worst business practice), this can make one’s head spin.

Vitaliy · May 8, 2026, 5:39pm

Not if endpoints are part of vpn network and you maintain ACL in your vpn solution plus freepbx firewall has whitelist tied to specific IPs of endpoints and not entire subnet. Zero trust policy and up to date firmware is a must nowadays

BlazeStudios · May 8, 2026, 5:47pm

VPN tunnels don’t care what goes over them. It doesn’t matter if the device you’ve attached to the network is ACL’d by MAC or other methods, infected is infected. There’s reasons things like having endpoint protection (and not freeware versions) and limited user access and rights on company devices is policy in a lot of organizations.

BlazeStudios · May 8, 2026, 6:57pm

Again, that would be the endpoint part I’m talking about. If the endpoint at 192..5 is infected…

tmittelstaedt · May 9, 2026, 11:34pm

It’s also because cyber insurance companies like to sue endpoint protection companies and get some money if they find out their customer has followed all recommendations by that company yet still gets broken into. Freeware endpoint protection solutions, well they don’t have any money to get in a lawsuit.

Ultimately the issue isn’t whether someone is going to break in but how quickly you can recover. If you’re backing up to “the cloud” for example, and it takes a week for a full restore of all your servers to be pulled over your Internet connection, you kind of have a problem…

tmittelstaedt · May 9, 2026, 11:37pm

Correct.

The saving grace seems to be there’s enough idiots out there easier to break in than me so maybe I might not get gunned. Sigh.