Security Advisory: cPanel/WHM and Linux Vulnerabilities Affecting Hosting Servers

Namhost is issuing this advisory to help VPS and Dedicated Server clients understand a series of recent security vulnerabilities affecting hosting environments.

These issues are not limited to one vendor, one product, or one control panel. The current situation involves both vulnerabilities in cPanel & WHM and vulnerabilities in the Linux kernel and related Linux distributions used by many hosting servers.

This advisory is intended to help server owners understand the risk, identify whether their servers may be affected, and take appropriate action.

Overview

Affected systems may include servers running cPanel/WHM, as well as Linux-based servers running distributions such as AlmaLinux, Rocky Linux, CloudLinux, Ubuntu, Debian, Red Hat Enterprise Linux, SUSE, Alpine Linux, and related platforms.

Hosting servers are layered systems. A typical server may include:

a Linux operating system;
a Linux kernel;
a control panel such as cPanel/WHM, DirectAdmin, Plesk, or another hosting panel;
web, mail, DNS, database, FTP, and SSH services;
customer websites, CMS platforms, scripts, plugins, and applications.

A vulnerability in any one of these layers can create risk. In some cases, one vulnerability can be used to gain initial access, while another vulnerability can be used to increase privileges or gain root-level control.

For this reason, the recent security situation should not be viewed only as a “cPanel issue”. cPanel/WHM is one affected component, but there are also wider Linux kernel vulnerabilities that may affect servers regardless of the control panel in use.

Recent cPanel/WHM vulnerabilities

One of the most serious recent issues is CVE-2026-41940, a cPanel & WHM authentication vulnerability. cPanel states that security updates were released on 28 April 2026 to address an authentication issue in the session management layer.

The National Vulnerability Database describes CVE-2026-41940 as an authentication bypass vulnerability in cPanel and WHM that may allow unauthenticated remote attackers to gain unauthorised access to the control panel.

cPanel has also published updates for additional vulnerabilities, including:

CVE-2026-29201: an arbitrary file read issue involving the feature::LOADFEATUREFILE adminbin call;
CVE-2026-29202: a Perl code injection issue involving the create_user API call;
CVE-2026-29203: an unsafe symlink handling issue that may allow denial of service or possible privilege escalation.

cPanel has released patched versions for these issues and recommends updating affected servers using the standard cPanel update process.

Servers that are version-pinned, running unsupported versions, or have automatic updates disabled may require manual intervention.

Recent Linux kernel vulnerabilities

In addition to the cPanel/WHM vulnerabilities, there are also recent Linux kernel vulnerabilities that may affect hosting servers. These issues exist at the operating system kernel level and are not limited to cPanel.

Kernel-level vulnerabilities are significant because they may allow a local user or process to escalate privileges and gain root-level access. On hosting servers, this risk is especially important because servers often run multiple websites, user accounts, applications, scheduled tasks, and services.

Dirty Frag

A Linux kernel vulnerability known as Dirty Frag has been disclosed. cPanel’s own advisory states that Dirty Frag is a Linux kernel vulnerability that may allow local privilege escalation to the root user, and that it exists in the Linux kernel itself rather than only in cPanel.

AlmaLinux states that Dirty Frag affects every supported AlmaLinux release and involves two kernel bugs tracked as CVE-2026-43284 and CVE-2026-43500.

CloudLinux describes Dirty Frag as a Linux kernel local privilege escalation issue in the IPsec ESP and RxRPC areas, with a public proof-of-concept available.

Copy Fail / CVE-2026-31431

Another Linux kernel vulnerability, known as Copy Fail and tracked as CVE-2026-31431, has also been disclosed.

Copy Fail affects Linux systems running vulnerable kernel versions, including kernel versions in the 4.14 and newer range where the affected kernel code is present. The issue relates to the Linux kernel’s cryptographic subsystem, including the algif_aead / AF_ALG area.

This is a kernel-level local privilege escalation issue. In practical terms, this means that an attacker or malicious process with limited local access may be able to attempt privilege escalation to root if the server is running an affected and unpatched kernel.

Copy Fail is not a cPanel-specific vulnerability. It may affect servers running different control panels or no control panel at all, depending on the Linux distribution, kernel version, and patch status.

Who may be affected?

You may be affected if you operate a VPS or Dedicated Server that uses any of the following:

cPanel & WHM;
WP Squared;
older or unsupported cPanel versions;
AlmaLinux;
Rocky Linux;
CloudLinux;
Ubuntu;
Debian;
Red Hat Enterprise Linux;
SUSE;
Alpine Linux;
CentOS-derived systems;
other Linux distributions using affected kernel versions.

Not every server is affected in the same way. Exposure depends on the control panel version, Linux distribution, kernel version, update status, enabled services, firewall rules, access controls, and whether the server shows signs of compromise.

How to check whether your server may be affected

The following checks should be performed by a qualified server administrator or technical contact. If Namhost manages your server, contact our support team before making major system changes.

1. Check your cPanel/WHM version

On a cPanel server, run:

/usr/local/cpanel/cpanel -V

You should compare the result against the patched versions listed in the official cPanel security advisories.

To update cPanel manually, cPanel recommends:

/scripts/upcp --force

After the update completes, verify the installed version again:

/usr/local/cpanel/cpanel -V

2. Check whether cPanel automatic updates are enabled

Review the cPanel update configuration:

cat /etc/cpupdate.conf

Servers that are pinned to older versions, set to manual updates only, or running unsupported branches may require manual intervention.

3. Check your Linux distribution

Run:

cat /etc/os-release

This will show whether the server is running AlmaLinux, Rocky Linux, CloudLinux, Ubuntu, Debian, Red Hat Enterprise Linux, SUSE, Alpine Linux, or another Linux distribution.

4. Check your running kernel version

Run:

uname -r

Then compare the running kernel against your Linux distribution’s official security advisory and update guidance.

This check is important for kernel-level vulnerabilities such as Dirty Frag and Copy Fail.

5. Check whether kernel updates are available

For AlmaLinux, Rocky Linux, CloudLinux, Red Hat-based, and similar systems:

dnf update kernel

or, on older systems:

yum update kernel

For Ubuntu and Debian-based systems:

apt update
apt upgrade

In most cases, a kernel update requires a reboot before the server is actually running the patched kernel.

After rebooting, confirm the running kernel again:

uname -r

6. If you use KernelCare, verify live patch status

If KernelCare is installed, check whether relevant patches have been applied:

kcarectl --update
kcarectl --patch-info

For Dirty Frag, administrators may check for relevant CVEs such as:

kcarectl --patch-info | grep CVE-2026-43284

For Copy Fail, administrators may check for:

kcarectl --patch-info | grep CVE-2026-31431

If there is no output, the running kernel may not yet be covered by the live patch and should be reviewed against vendor guidance.

7. Review vendor advisories

Because kernel vulnerabilities are patched by operating system vendors, server owners should review the advisory for their specific Linux distribution.

For Copy Fail / CVE-2026-31431, relevant vendor resources include AlmaLinux, Alpine Linux, CloudLinux, Debian, Red Hat Enterprise Linux, Rocky Linux, SUSE, and Ubuntu.

For Dirty Frag, relevant vendor resources include AlmaLinux, CloudLinux, and the applicable operating system vendor for your server.

8. Review signs of compromise

Patching closes known vulnerabilities, but it does not always prove that a server was not accessed before the patch was applied.

Administrators should review:

SSH logins;
root login history;
new or modified SSH keys;
unexpected user accounts;
cron jobs;
recently modified system files;
suspicious scripts;
unfamiliar processes;
mail queues;
web shells;
unexpected PHP files;
altered CMS administrator accounts;
modified website files;
unexpected database users;
unauthorised mail forwarders;
API keys and stored credentials.

Where root-level compromise is suspected or confirmed, the safest technical recommendation is usually to rebuild the server from a clean operating system and redeploy from trusted, known-clean sources.

Why credential rotation is important

If a server may have been compromised, changing only the root password is not enough.

You should rotate all credentials associated with the server and hosted services, including:

root password;
SSH keys;
WHM/cPanel passwords;
control panel user passwords;
all email account passwords;
database user passwords;
website admin passwords;
FTP/SFTP passwords;
API keys;
application secrets;
CMS administrator passwords;
third-party service credentials stored on or used by the server.

This is especially important if websites, scripts, or configuration files stored credentials in plain text.

When a clean rebuild may be required

If there are signs of unauthorised root-level access, patching and password changes may not be sufficient.

Root-level access can allow an attacker to modify system files, install persistence mechanisms, add SSH keys, change logs, alter services, create backdoors, or hide malicious code. These changes may not be immediately visible.

In such cases, a clean rebuild is often the safest option. This means provisioning a new server with a clean operating system and redeploying websites, applications, email accounts, databases, and DNS configuration from trusted backups or developer copies.

Copying files directly from a compromised server into a new server can reintroduce malicious scripts, backdoors, or altered files.

What Namhost is doing

Namhost has been reviewing affected environments, applying available patches where applicable, and contacting customers directly where we have identified indications of higher risk.

Where unauthorised root-level access has been detected, we will advise affected customers on the available options, including continuing with the existing server at their own risk or deploying a new clean server.

What you should do now

If you manage your own VPS or Dedicated Server, you should:

check your cPanel/WHM version, if cPanel/WHM is installed;
apply all cPanel/WHM patches;
check your Linux distribution and kernel version;
review whether your server may be affected by Dirty Frag;
review whether your server may be affected by Copy Fail / CVE-2026-31431;
apply all available operating system and kernel updates;
reboot where required;
verify that the patched kernel is running;
review logs and accounts for signs of compromise;
rotate all relevant credentials;
contact your hosting provider or server administrator if you are unsure.

If your server is hosted with Namhost and you need assistance reviewing your VPS or Dedicated Server, please contact Namhost Support.

Our team can assist with checking update status, reviewing affected services, advising on rebuild options, and helping you determine the safest next step for your hosting environment.

References