Copy-fail-destroyer: K8s remediation for CVE-2026-31431
15 points by evenh
by antiloper
3 subcomments
Blacklisting a kernel module only prevents modprobe from loading it automatically. modprobe by name still works, even if the module is blacklisted, and so does insmod and the syscalls they use.
The author is way above their head and thinks that because they can write Copilot prompts they can write security critical software.
by cassianoleal
1 subcomments
Yeah run a highly privileged, node-level workload by an Internet stranger to mitigate against a kernel vulnerability. No thanks.
In any case, this unloads the module which does nothing if it's compiled into the kernel as in GKE.
by parliament32
0 subcomment
The k8s remediation is setting allowPrivilegeEscalation to false, which you should have already been doing if you follow the in-tree Pod Security Standards at the Restricted profile.
by __turbobrew__
0 subcomment
Just use chef or whatever configuration management system of choice.
Hacker News