I wanted to flag a serious Linux kernel vulnerability that was publicly disclosed this week — CVE-2026-31431, nicknamed “Copy Fail” — and ask whether anyone has guidance specific to Raspberry Shake devices.
The short version: it’s a local privilege escalation bug in the Linux kernel’s crypto subsystem (the algif_aead module) that has been present since 2017. A public 732-byte Python exploit exists that reliably gets root on Ubuntu, Amazon Linux, RHEL, and SUSE — and it’s expected to work on any Linux kernel built since 2017, which includes Raspberry Pi OS.
My Shake is internet-facing, so I’m treating this as a priority.
I’ve already applied the recommended interim mitigation on my other Linux machines (blocking the algif_aead module via modprobe.d, which doesn’t require a reboot and doesn’t affect SSH, OpenSSL, or normal crypto operations). That same mitigation should be safe to apply to the Shake, but I wanted to check before doing a full kernel upgrade.
My questions:
Has anyone confirmed whether sudo apt update && sudo apt full-upgrade is safe to run on a Shake without breaking the seismic software?
Is there an official Raspberry Shake update procedure we should follow for kernel upgrades?
Has the team looked at this CVE and is any guidance coming?
just like bugs, not all security vulnerabilities are equal in terms of threat level.
the “copy fail” vulnerability you refer to, by itself, can only be exploited by a user already logged on to the machine in question. and since the only non-root user on a Shake device is myshake, which already has full access to sudo, there is no increased risk.
thus, for a standard Shake deployment, this does not materially increase the practical risk, because exploitation requires local code execution and the only normal non-root account already has sudo access.
when you say your Shake is internet-facing, what do you mean, exactly? that it is being assigned a public IP? if so, this is highly discouraged, as documented in the Shake manual, since this removes a layer of protection against break-ins by bad actors. but even in this case, if a bad actor were to successfully access the Shake via the user myshake, they would have access to sudo anyway.
as always, it is our strong recommendation that a Shake be located behind a local router, thus being assigned a local IP address, also making it not connected directly to the internet. in this case, the Shake is protected against outside intruders in the same way that all your LAN-connected devices are also protected.
to your questions directly:
since the Shake is an appliance, and not a general-use computer, upgrading the OS in-place is not recommended, nor necessary, when our published security guidelines are followed.
now that the latest Shake-OS has been upgraded to V21, upgrading the underlying Raspbian OS is on the near-future roadmap.
as stated above: this newly identified vulnerability has no direct effect on the Shake device, nor is there anything that needs to be done, by us or the end-user, to bring the Shake into a more secure state than it was before.
thanks for your post, i hope to have eased your concerns in clarifying the situation for you.