We Red-Teamed Ourselves on CVE-2026-31431

| 2 min read

A kernel vulnerability, designated "Copy Fail" (CVE-2026-31431), has recently been disclosed. It targets unprivileged processes, enabling them to corrupt the Page Cache. In a shared hosting environment, this poses a significant security concern for a Chief Information Security Officer (CISO), particularly when clients utilize application management wrappers, such as WPTerm or Terminus, that utilize SSH.

Pantheon ran a comprehensive red team audit of our production containers against this exploit, not just a quick scan of common entry points, but a full adversarial exercise designed to find real failure modes.

The result: We passed. If you're a Pantheon customer running workloads on our infrastructure, you don't need to take any action; our platform was immune to this attack by design.

Our container security posture neutralized the exploit even though the underlying kernel version falls within the vulnerable range. The environment's existing controls did the work.

What you can do

We regularly partner with a specialized security firm to conduct container breakout testing as part of our proactive measures. This is what rigorous, defense-in-depth security looks like.

This defense-in-depth approach is core to how we operate. While we handle infrastructure security, your site's security is a shared responsibility. Take action now: Audit your website's components.

  • Review all plugins and themes: Ensure every component is up to date and from a verified source to avoid vulnerabilities. Outdated software is a common gateway for attacks.
  • Remove dormant accounts and unnecessary plugins: Delete inactive accounts and components that are ripe targets for hijacking.
  • Ensure you are using a unique password for your account.

Patch status and ongoing monitoring

While our existing container security controls successfully neutralized this exploit in our red team exercise, we want to be transparent about the current state of upstream patching. Official kernel patches for our underlying infrastructure from upstream vendors are not yet available. We are actively monitoring the situation and are in contact with Google, specifically, which has acknowledged the issue and is working on a resolution. We will apply these patches in adherence to our established patching standards as soon as they become available. In the meantime, our existing mitigations remain in place, and we are evaluating additional safeguards.

We are also aware that some vulnerability scanning tools may not reliably flag all affected server configurations at this time; a limitation we are tracking closely.

Timeline summary:

  • CVE disclosed: April 29, 2026
  • The initial internal validation necessitated the opening of a security incident and commencement of further testing: 16:45 MDT, April 29
  • Conclusive "not affected" determination: 22:27 MDT, April 29

Author

Joey Stanford

Discover More

Why we’re deploying a new PHP runtime

6 min read
Read More

Pantheon Joins Drupal AI Initiative

3 min read
Read More

From ChatGPT to AI Overviews: How Enterprises Win in Multiplatform AI Search

5 min read
Read More
Request a Pantheon platform demo
Schedule now