![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
Hello Anthony Rieder,
Greetings! Thanks for raising this question in Q&A forum.
This is a very valid and serious security concern. The reason your nodes haven't been updated yet is that Azure Container Apps is a fully managed platform, meaning Microsoft controls the underlying node pool patching and kernel updates — customers cannot trigger node rotation manually. While the Azure Linux fix was released on May 6, 2026, the rollout of updated node images across all regions and all customer environments happens gradually and is managed entirely by the Azure Container Apps platform team. A delay of a few weeks between an upstream fix and full fleet rollout is unfortunately not uncommon, but given this CVE is actively exploited and listed in the CISA KEV catalog, it absolutely warrants urgent escalation.
Here's what you should do right now, step by step:
1. Raise a Critical Severity Support Ticket immediately
Since this CVE has an active PoC exploit and is in the CISA KEV catalog, this qualifies as a Severity A (Critical) support case. Go to the Azure Portal, click "Help + Support", and create a new support request with:
- Product: Azure Container Apps
- Issue type: Security
- Severity: Critical (Sev A)
- Description: Reference CVE-2026-31431, your environment region (East US 2), current kernel version (6.6.130.1-3), and the fact that the fix has been available since May 6, 2026 (kernel 6.6.137.1-2)
This is the fastest path to get Microsoft's engineering team to prioritize patching your environment.
2. Report through Microsoft Security Response Center (MSRC)
In parallel, report this via the official MSRC portal at https://msrc.microsoft.com/report this ensures the right security team at Microsoft is also aware and can track the exposure in your specific environment.
3. Apply immediate compensating controls while you wait
Since you cannot force a node rotation yourself, reduce your blast radius right now by:
- Ensuring all containers run as non-root users (this raises the bar for exploitation)
- Enabling Defender for Containers on your environment if not already done, so you get runtime threat detection
- Reviewing your Container Apps environment's network isolation ensure apps are behind a VNet and not directly exposed to the internet
- Restricting inter-container communication wherever possible to limit lateral movement risk
4. Ask Microsoft Support for an ETA on node rotation for East US 2
When you open the support ticket, explicitly ask: "What is the expected timeline for node pool rotation to kernel 6.6.137.1-2 or later in our East US 2 Container Apps environment?" Support engineers can check the rollout status for your specific region and escalate internally if needed.
5. Monitor Azure Service Health for updates
Go to Azure Portal > Service Health > Health Advisories and filter by Azure Container Apps and East US 2. Microsoft sometimes posts security maintenance notifications here when rolling out critical patches.
Given that this CVE is actively exploited, I'd strongly encourage not waiting on this and opening the Critical support ticket today. Microsoft's support SLA for Sev A issues requires a response within one hour, which will get you the fastest possible action.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.