How to Update a Vultr Cloud Server
Keeping server packages current is one of the most effective ways to guard against known vulnerabilities and maintain system stability. Applying updates regularly ensures that security patches, bug fixes, and performance improvements reach all running services.
This article explains how to update packages on several Linux distributions, including AlmaLinux, Arch Linux, CentOS Stream, Debian, Fedora, Rocky Linux, Ubuntu, and VzLinux.
Prerequisites
Before you begin, you need to:
- Have access to a cloud server as a non-root user with sudo privileges.
- Create a snapshot of the server before applying updates. Updates can occasionally cause unexpected behavior, and a recent snapshot allows you to restore the server quickly if needed.
algif_aead crypto module allows any unprivileged local user to gain a root shell. The flaw exploits an in-place optimization introduced in 2017 that permits page-cache pages to become writable destinations in the crypto scatterlist, enabling a reliable 4-byte page-cache write and full privilege escalation. All mainstream Linux distributions running kernels built between 2017 and April 2026 are affected, including Ubuntu, Debian, Fedora, AlmaLinux, Rocky Linux, Arch Linux, and RHEL-based distributions. The official fix reverts algif_aead.c (commit a664bf3d603d) to out-of-place AEAD operation, permanently eliminating the attack surface.
Apply the temporary mitigation below immediately, then update your kernel using the steps for your distribution in this article. Ubuntu 26.04 (Resolute) is not affected and requires no action.
Temporary Mitigation
Apply the following steps while the kernel update is pending:
Disable the
algif_aeadmodule to eliminate the attack surface.console$ echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf $ sudo rmmod algif_aead 2>/dev/null || true
Update your kernel using the steps for your distribution in this article.
Impact of Disabling algif_aead
For most systems, disabling this module has no measurable effect. Common subsystems that route crypto operations through the kernel's internal API, including dm-crypt, LUKS, IPsec, kTLS, SSH, and the default builds of OpenSSL, GnuTLS, and NSS are completely unaffected because they never use AF_ALG sockets.
The mitigation only affects userspace applications explicitly configured to reach the kernel crypto API through AF_ALG for example, OpenSSL built with the afalg engine enabled, certain embedded crypto offload implementations, or applications that open aead, skcipher, or hash sockets directly. If those paths were in use, performance falls back to the application's own userspace crypto library, which is how the vast majority of software operates anyway.
To check whether any running process on the system currently uses AF_ALG, run:
$ lsof | grep AF_ALG
No output means nothing active relies on the module. If processes appear in the results, evaluate whether they support an alternative crypto backend before disabling the module.
AlmaLinux, CentOS Stream, Rocky Linux, and VzLinux
AlmaLinux, CentOS Stream, Rocky Linux, and VzLinux all use the DNF package manager. The following steps apply to all four distributions.
Update the package database from the enabled repositories.
console$ sudo dnf check-update
Upgrade all installed packages.
console$ sudo dnf upgrade
Reboot the server.
console$ sudo reboot
Arch Linux
Arch Linux uses a rolling-release model, and packages can change significantly between upgrades. Before starting, visit the Arch Linux homepage to check for any recent news or breaking changes that may require manual intervention after the upgrade.
Update the package databases for all enabled repositories.
console$ sudo pacman --sync --refresh
Update the local database of PGP keys used by package maintainers.
console$ sudo pacman --sync --needed archlinux-keyring
Upgrade all system packages.
console$ sudo pacman --sync --sysupgrade
Reboot the system.
console$ sudo reboot
Combine the database refresh and system upgrade into a single command. This skips the optional keyring update step.
$ sudo pacman --sync --refresh --sysupgrade
Reboot the system after the upgrade completes.
$ sudo reboot
Debian and Ubuntu
Debian and Ubuntu use the APT package manager. The following steps apply to Ubuntu 20.04 and later, and Debian 11 and later.
kmod package is available that automatically disables the vulnerable algif_aead module. A full kernel patch is still pending. Apply the steps below before proceeding with the general upgrade.
Ubuntu 22.04, 24.04, and 25.10 users should install the updated kmod package immediately. This applies the official module-level mitigation while the kernel patch is pending. Ubuntu 14.04 through 20.04 users can access the same update through the Ubuntu ESM channel.
Update the package lists.
console$ sudo apt update
Install the updated
kmodpackage.console$ sudo apt install --only-upgrade kmod
Verify the mitigation is active.
console$ sudo modprobe algif_aead
If the mitigation is in place, the output displays:
modprobe: ERROR: could not insert 'algif_aead': Operation not permitted
Proceed with the full system upgrade below to apply all remaining available security patches.
(Optional) List packages available for upgrade before proceeding.
console$ sudo apt list --upgradable
Upgrade all upgradable packages.
console$ sudo apt upgrade
Reboot the server.
console$ sudo reboot
Accept all defaults and suppress prompts by combining the commands with && and adding the -y flag.
$ sudo apt update && sudo apt upgrade -y
Reboot the server after the upgrade completes.
Remove packages that are no longer needed by any installed software.
$ sudo apt autoremove
Fedora
Fedora uses the DNF package manager. The following steps apply to Fedora 31 and later.
Update the package database from the enabled repositories.
console$ sudo dnf check-update
Upgrade all installed packages.
console$ sudo dnf upgrade
Restart the server.
console$ sudo reboot
Conclusion
You have updated your Linux server using the package manager for your distribution. Setting a regular update schedule keeps your system protected and stable. For more information, visit the official documentation for AlmaLinux, Arch Linux, Debian, Fedora, Rocky Linux, or Ubuntu.