Linux kernel (IoT) vulnerabilities
Published: Tue, 26 May 2026 19:55
Summary
Several security issues were fixed in the Linux kernel.
Details
It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; - TLS protocol; (CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu focal
linux-iot→5.4.0-1063.66apt_upgradeStandard apt upgrade. Install 5.4.0-1063.66 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-iot
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-buildinfo-5.4.0-1063-iot→5.4.0-1063.66apt_upgradeStandard apt upgrade. Install 5.4.0-1063.66 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-buildinfo-5.4.0-1063-iot
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-headers-5.4.0-1063-iot→5.4.0-1063.66kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-headers-5.4.0-1063-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-headers-iot→5.4.0.1063.61kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-headers-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-headers-iot-5.4→5.4.0.1063.61kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-headers-iot-5.4 sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-image-5.4.0-1063-iot→5.4.0-1063.66kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-image-5.4.0-1063-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-image-iot→5.4.0.1063.61kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-image-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-image-iot-5.4→5.4.0.1063.61kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-image-iot-5.4 sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-image-unsigned-5.4.0-1063-iot→5.4.0-1063.66kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-image-unsigned-5.4.0-1063-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-iot→5.4.0.1063.61apt_upgradeStandard apt upgrade. Install 5.4.0.1063.61 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-iot
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-iot-5.4→5.4.0.1063.61apt_upgradeStandard apt upgrade. Install 5.4.0.1063.61 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-iot-5.4
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-iot-headers-5.4.0-1063→5.4.0-1063.66apt_upgradeStandard apt upgrade. Install 5.4.0-1063.66 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-iot-headers-5.4.0-1063
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-iot-tools-5.4.0-1063→5.4.0-1063.66apt_upgradeStandard apt upgrade. Install 5.4.0-1063.66 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-iot-tools-5.4.0-1063
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-modules-5.4.0-1063-iot→5.4.0-1063.66kernel_rebootKernel package — apt-upgrade then REBOOT to load the patched kernel.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-modules-5.4.0-1063-iot sudo reboot
Reboot is required. ~30-60s downtime; containers self-restart.
linux-tools-5.4.0-1063-iot→5.4.0-1063.66apt_upgradeStandard apt upgrade. Install 5.4.0-1063.66 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-tools-5.4.0-1063-iot
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-tools-iot→5.4.0.1063.61apt_upgradeStandard apt upgrade. Install 5.4.0.1063.61 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-tools-iot
Most apt upgrades restart their service automatically. needrestart lists anything else.
linux-tools-iot-5.4→5.4.0.1063.61apt_upgradeStandard apt upgrade. Install 5.4.0.1063.61 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-tools-iot-5.4
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8280-3?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8280-3 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.