Update - Reminder for the kernel-update path: update the LVE kernel module kmod-lve in the same run as the kernel. The patched kernel keeps the same KABI, so a current module stays compatible, but a host coming from a much older kernel can end up with an incompatible kmod-lve; update both together to avoid a module/kernel mismatch.

CL8 (beta):
yum update 'kernel*' --enablerepo=cloudlinux-updates-testing
yum update kmod-lve --enablerepo=cloudlinux-updates-testing
reboot

CL7h uses --enablerepo=cl7h_beta for the kernel;
CL9/CL10 add dnf update kmod-lve --enablerepo=cloudlinux-updates-testing before reboot.
Full instructions in the blog post

Jul 13, 2026 - 11:44 UTC
Update - The patched CloudLinux 7 kernel is in the beta/testing channel, and rollout to stable has started. You may install from the testing channel now. Target version:

CL7: kernel-3.10.0-962.3.2.lve1.5.89.el7 or newer

The CloudLinux 7 KernelCare livepatch is now in the testing feed, with promotion to the main feed to follow.

Jul 11, 2026 - 03:12 UTC
Update - Released in test feed:
rhel7 K20260710_48
oel7 K20260710_49
cl7 K20260710_52
oel8-uek6 K20260710_46
oel7-uek6 K20260710_45
amazon2 K20260710_47


EL8 (not previously listed):
almalinux8 - K20260710_41 (general kernel, test);
rhel8 - K20260710_28 — kernel-eus-8.6 only ⚠️ (general RHEL8/CL8 not covered).
EL10 + Debian 12 in test
rhel10 - K20260710_20,
almalinux10 - K20260710_23,
rockylinux10 - K20260710_22,
oel10 - K20260710_21,
debian12 - K20260710_24

Jul 10, 2026 - 15:46 UTC
Update - New patches available in the main feed:

rhel9 - K20260709_03
almalinux9 - K20260709_05
oel9 - K20260709_08
rockylinux9 - K20260709_10

Jul 10, 2026 - 11:32 UTC
Update - New patches available for the following systems:

pve-8 - K20260710_04
ubuntu-noble - K20260710_02
almalinux9 LTS - K20260710_14
almalinux9 FIPS 9.6 - K20260710_01


kcarectl --patch-info will reference only CVE-2026-43499 (53166 is not cited), so finding CVE-2026-43499 is sufficient to confirm GhostLock is patched.
the follow-up fix CVE-2026-53166 was reverted upstream (regression)


EL6 distros has low priority

Jul 10, 2026 - 09:52 UTC
Update - The first GhostLock KernelCare livepatches for the CloudLinux 9 / AlmaLinux 9 family are now in the testing feed and are expected to reach the main feed within hours. Once they promote to the main feed, subscribed CloudLinux 9 servers receive them automatically on the next update cycle. Livepatches for the remaining affected CloudLinux families are still in preparation. To update, you may run:

kcarectl --update --prefix test

Jul 10, 2026 - 04:02 UTC
Monitoring - Patched kernels are available:
Patched CloudLinux kernels for CL7h and CL8 are in the beta/testing channel, and rollout to stable has started.
CL7h: kernel-4.18.0-553.141.2.lve.el7h or newer
CL8: kernel-4.18.0-553.141.2.lve.el8 or newer
AlmaLinux has published patched kernels to its testing repository.
CloudLinux 9 / AlmaLinux 9: kernel-5.14.0-687.23.2.el9_8 or newer
CloudLinux 10 / AlmaLinux 10: kernel-6.12.0-211.31.2.el10_2 or newer

Jul 09, 2026 - 12:11 UTC
Update - GhostLock requires two fixes, shipped together: CVE-2026-43499 and CVE-2026-53166.
Both are required for a system to be considered patched.

All supported CloudLinux versions are affected — CL7, CL7h, CL8, CL8 LTS, CL9, CL9 LTS, CL10, and CloudLinux for Ubuntu 22.04 LTS. GhostLock's vulnerable range covers every kernel CloudLinux ships.

There is no practical runtime mitigation. The prerequisite CONFIG_FUTEX_PI is a build-time kernel option with no runtime switch, and it cannot be disabled on a running server without breaking the priority-inheritance mutexes applications depend on. There is no module to blacklist and no sysctl to set. Per-tenant sandboxing does not close it either - the trigger is the futex syscall, available to any local process. For containerized or sandboxed workloads only, a seccomp policy blocking FUTEX_LOCK_PI, FUTEX_WAIT_REQUEUE_PI and FUTEX_CMP_REQUEUE_PI reduces exposure.

The kernel update or KernelCare livepatch is the fix.

Patched kernels and KernelCare livepatches for all affected versions are being prepared. A KernelCare livepatch will be available as a no-reboot alternative on every affected version. Target kernel versions and patch IDs will be posted here as each release ships.

Once KernelCare livepatches are live, verify both fixes are present:
kcarectl --patch-info | grep -E 'CVE-2026-43499|CVE-2026-53166'
Do not use kcarectl --info | grep CVE — it returns empty output even on correctly patched systems.

Full advisory and per-platform update instructions: GhostLock (CVE-2026-43499) blog post.

Jul 09, 2026 - 11:57 UTC
Investigating - Patched kernels and KernelCare livepatches for affected CloudLinux versions are being prepared. For more details, please check: https://blog.cloudlinux.com/ghostlock-cve-2026-43499-local-root-exploit-kernel-update-for-cloudlinux/
Jul 08, 2026 - 18:40 UTC
Update - KernelCare livepatch for Januscape, by CloudLinux platform:

Fully rolled out on the main feed: CloudLinux 10 and CloudLinux for Ubuntu 22.04.
On the main feed (staged rollout): CloudLinux 8.
In the testing feed: CloudLinux 7h.
Still in preparation: CloudLinux 9.

Jul 11, 2026 - 03:15 UTC
Update - Patched CloudLinux CL7h/CL8 kernels are released to the beta/testing channel. Target versions:
- CL7h kernel-4.18.0-553.139.3.lve.el7h or newer.
- CL8 kernel-4.18.0-553.139.3.lve.el8 or newer.

Promotion to the stable channel follows after the testing period.

AlmaLinux 9/10 has published patched kernels to its testing repository. Target versions:
- CL9 / AlmaLinux 9: kernel-5.14.0-687.20.3.el9_8 or newer.
- CL10 / AlmaLinux 10: kernel-6.12.0-211.30.3.el10_2 or newer.

For more detailed information and instructions on updating and mitigation, please visit our blog post: Januscape (CVE-2026-53359): Mitigation and Kernel Update on CloudLinux

Jul 07, 2026 - 17:08 UTC
Identified - KernelCare is rolling out live patches for CVE-2026-53359 + CVE-2026-46113 (both required; tracked under the "CVE-2026-46113 and follow-up N-day kvm fixes" tickets).

Release state below is from the live release data
In feed now (by release):

EL10:
K20260703_15 (rhel10),
K20260703_16 (oel10),
K20260703_17 (rockylinux10),
K20260703_18 (almalinux10)

Debian 13: K20260706_09 (test feed)
Ubuntu Jammy: K20260706_01 (+ _02 arm64, _03 azure, _04 aws) (test feed)
Ubuntu Focal-on-Jammy-HWE: K20260706_06 (+ _05 azure, _07 aws) (test feed)
Proxmox VE 7 (5.15): K20260706_08 (test feed)

Not yet in any feed: el8, el9, ubuntu-noble, debian11, debian12, plain ubuntu-focal, uek6/uek7, ubuntu-bionic.

They are in active development (pushing to the release)

LibCare: out of scope (kernel-only).


How to update?


kcarectl --update --prefix test # from testing feed
kcarectl --update # once promoted to main

Verify:
kcarectl --info | grep kpatch-build-time # build dated 2026-07 or later
kcarectl --patch-info | grep -E 'CVE-2026-53359|CVE-2026-46113' # both fixes needed for Januscape



How to mitigate until the patch will be available?


Hosts that do NOT run VMs but have KVM loaded by default — remove the attack surface entirely:
# unload now (fails if a VM is running → that host isn't a candidate)
sudo modprobe -r kvm_intel kvm # kvm_amd on AMD

# prevent load on boot ("install /bin/false" also blocks dependency/explicit loads,
# which a plain "blacklist" line does not)
printf 'install kvm_intel /bin/false\ninstall kvm_amd /bin/false\n' \
| sudo tee /etc/modprobe.d/disable-kvm.conf

Verify: lsmod | grep kvm is empty and ls /dev/kvm → No such file. Revert: remove /etc/modprobe.d/disable-kvm.conf and modprobe kvm_intel (or reboot).




Hosts that DO run VMs — cannot unload; they depend on the livepatch. Partial hardening for the unprivileged-local vector on RHEL-family (where /dev/kvm is 0666) only:

echo 'KERNEL=="kvm", GROUP="kvm", MODE="0660"' | sudo tee /etc/udev/rules.d/65-kvm.rules
# then: sudo udevadm control --reload && sudo udevadm trigger (or reboot)

Perm-tightening does not stop a malicious VM guest — the guest→host escape still works via QEMU. Full coverage on a VM host = the livepatch.


Jul 07, 2026 - 15:10 UTC
Investigating - Confirmed exploitable in our lab.
Any KVM hypervisor host with the kvm_intel / kvm_amd modules loaded and /dev/kvm present is affected — i.e. the default posture on the KVM/enterprise fleet.

Impact ranges from host DoS (unprivileged, reliable) up to a full guest→host escape running as root .
On RHEL-family, /dev/kvm is world-accessible (0666), so an unprivileged local user can trigger it directly.

Jul 07, 2026 - 15:05 UTC
Monitoring - The kmod-lve 2.1-68 package is already in our beta repository, and we are monitoring for any issues.
Jul 05, 2026 - 03:06 UTC
Investigating - Starting with kmod-lve 2.1-68, shared memory allocated by applications will be counted toward each LVE PMEM limit on CloudLinux OS 8 and 7 hybrid.

On these platforms, shared memory was previously not included in PMEM accounting. CloudLinux OS 9 and 10 have always accounted for it correctly, so this update brings 8/7h in line with them and makes PMEM consistent across all CloudLinux versions.

If you prefer to retain the pre-update behavior and not account shared memory toward PMEM, kmod-lve 2.1-68 adds the module parameter lve_pmem_noshmem:

"N": Default, shmem accounting enabled.
"Y": Disable shmem accounting and restore the previous behavior.

It can be applied as follows:

- At runtime:
echo Y > /sys/module/kmodlve/parameters/lve_pmem_noshmem

- Persistently:
Add to a file under /etc/modprobe.d/, e.g. /etc/modprobe.d/kmodlve.conf:
options kmodlve lve_pmem_noshmem=Y

Jun 24, 2026 - 17:21 UTC
Monitoring - KernelCare livepatches for pedit COW have shipped and are live on the KernelCare main feed for affected CloudLinux versions. KernelCare-subscribed servers receive the fix automatically on the next kcarectl –update. Confirmed patch IDs by version:

CloudLinux 8: K20260624_18 — production feed since June 25
CloudLinux 9 (AlmaLinux 9): K20260626_30 — production feed since June 29
CloudLinux 10 (AlmaLinux 10): K20260625_20 — production feed since June 26
CloudLinux for Ubuntu 22.04 (Jammy): K20260625_01 — production feed since June 25

Jul 03, 2026 - 20:03 UTC
Identified - pedit COW is a separate, new bug in a different part of the kernel, the traffic-control act_pedit action in net/sched, not the XFRM/ESP path behind Dirty Frag and Fragnesia. The module blacklist you may have applied for those does not cover this vulnerability. The mitigation below targets a different module (act_pedit).

Affected CloudLinux versions
CloudLinux 7 (CL7)-----------------No
CloudLinux 7h (CL7h)--------------Yes
CloudLinux 8 (CL8)-----------------Yes
CloudLinux 9 (CL9)-----------------Yes
CloudLinux 10 (CL10)--------------Yes
CloudLinux for Ubuntu 22.04 LTS--Yes

For more detailed information and instructions on updating and mitigation, please visit our blog post: pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

Patched CloudLinux kernels for CL7h and CL8 are released to the beta channel and rolling out to stable. Target versions:
CL7h: kernel-4.18.0-553.137.1.lve.el7h or newer
CL8: kernel-4.18.0-553.137.1.lve.el8 or newer

Patched AlmaLinux kernels for CL9 and CL10 are available in the production (stable) repositories. Target versions:
CL9 / AlmaLinux 9: kernel-5.14.0-687.17.1.el9_8 or newer
CL10 / AlmaLinux 10: kernel-6.12.0-211.26.1.el10_2 or newer

KernelCare livepatches for CVE-2026-46331 are in active build and test.

CloudLinux for Ubuntu 22.04 runs the stock Ubuntu kernel; there is no CloudLinux-built kernel for this platform, and the production fix arrives from Canonical via apt. Track its status on the Ubuntu CVE page.

Until an updated kernel is installed or a KernelCare LivePatch update is applied, use one of the two mitigation methods described in our blog post: pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

Jun 26, 2026 - 15:53 UTC

About This Site

Welcome to CloudLinux status page. Here you can see if there are any ongoing issues with the CloudLinux network or other services.

CloudLinux OS Components Operational
Alt-PHP Operational
CageFS Operational
MySQL Governor Operational
EasyApache4 PHP packages Operational
CloudLinux Kernel Operational
Mod_lsapi Operational
PHP Selector Operational
Python Selector Operational
Ruby Selector Operational
Node.js Selector Operational
CloudLinux Network Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Jul 14, 2026

No incidents reported today.

Jul 13, 2026

Unresolved incident: GhostLock (CVE-2026-43499) Local Root Exploit.

Jul 12, 2026

No incidents reported.

Jul 11, 2026

Unresolved incident: CloudLinux/KernelCare Patch For Januscape (CVE-2026-53359).

Jul 10, 2026
Jul 9, 2026
Resolved - This incident has been resolved.
Jul 9, 10:09 UTC
Monitoring - We are making significant changes to the mechanism of accessing CloudLinux repositories.
This release affects Cloudlinux 8, 9 and Ubuntu. CL7 will be handled later. CL10 also receives an update though it already uses no-auth repos.
License validation has been moved within CloudLinux OS itself, so no action is required on the customer side other than updating the packages, which will be discussed below.

The transition on the client servers will be implemented by updating the cloudlinux-release and rhn-client-tools packages; therefore, if these packages are excluded from the update for any reason, please unblock them so you do not lose the ability to receive updates.
The version of the rhn package that will be updated is rhn-client-tools 3.0.3-1; versions of the cloudlinux-release packages depend on the system being used and can be found in our changelog:
CloudLinux 8 release packages
CloudLinux 9 release packages
CloudLinux 10 release packages
For Ubuntu it is - cloudlinux-release 0.1-10

Rollout of the packages will begin on April 30.

ELS repos brough by php-els, python-els, etc packages can be accessed via JWT token.
If you have questions about how access to ALT-ELS repositories works, you can find more details in this article:
alt-PHP, Python, NodeJS, Ruby repositories changes in CloudLinux 10

Important! If, for whatever reason, you are currently unable to update your packages and switch to the new mirrors, you will not be left without updates. There will be a transition period lasting several months during which both the old and new mirror systems will operate simultaneously.

Apr 29, 09:19 UTC
Jul 8, 2026
Jul 7, 2026
Jul 6, 2026

No incidents reported.

Jul 5, 2026

Unresolved incident: LVE physical memory accounting change for shared memory in kmod-lve 2.1-68.

Jul 4, 2026

No incidents reported.

Jul 3, 2026

Unresolved incident: pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux.

Jul 2, 2026

No incidents reported.

Jul 1, 2026

No incidents reported.

Jun 30, 2026

No incidents reported.