Remix clone Hacker News

new | show | ask | jobs Github

▲

kro 4 hours ago

Major os vendors will publish pages with the fixed versions:

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

Also, disabling algif_aead is suggested as mitigation

▲ 1p09gj20g8h 4 hours ago | parent [-]

Where are you seeing the disabling algif_aead mitigation?

▲ oskarkk 4 hours ago | parent [-]

In TFA: https://copy.fail/#mitigation

> Before you can patch: disable the algif_aead module.

> echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

> rmmod algif_aead 2>/dev/null || true

Edit: and I can confirm that on my system with kernel 6.19.8 the above fixes the exploit.

▲ comfydragon 2 hours ago | parent [-]

Weirdly, the mitigation does not seem to work under WSL2 (at least in Ubuntu 24.04).

    Linux wsl2 6.6.87.2-microsoft-standard-WSL2 ...

`modprobe algif_aead` errors out, but if I run the POC, it succeeds.

Outside of WSL2, the mitigation does appear to work though.

▲ tremon an hour ago | parent [-]

It's possible that the WSL kernel has that code compiled-in rather than as a loadable module. If they ship the kernel config somewhere, you could verify with

  zgrep CRYPTO_USER_API_AEAD /proc/config.gz /boot/config-*

It should show =m if it's a loadable module, and =y if it's compiled in.

▲ comfydragon 40 minutes ago | parent [-]

It's a loadable module:

    CONFIG_CRYPTO_USER_API_AEAD=m

Using bpftrace to watch calls to module_request, openat, etc., it looks like when the kernel calls modprobe, it doesn't even look at the disable-algif.conf file:

    [module_request] pid=3648 comm=python name=algif-aead
    [umh_setup] pid=3648 comm=python path=/sbin/modprobe argv0=/sbin/modprobe argv1=-q argv2=-- argv3=algif-aead argv4=
    [openat] pid=3688 file=/etc/ld.so.cache
    [openat] pid=3688 file=/lib/liblzma.so.5
    [openat] pid=3688 file=/lib/libz.so.1
    [openat] pid=3688 file=/lib/libgcc_s.so.1
    [openat] pid=3688 file=/lib/libc.so.6
    [openat] pid=3688 file=/etc/modprobe.d
    [openat] pid=3688 file=/lib/modprobe.d
    [openat] pid=3688 file=/lib/modprobe.d/dist-blacklist.conf
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.softdep
    [openat] pid=3688 file=/lib/modprobe.d/systemd.conf
    [openat] pid=3688 file=/etc/modprobe.d/usb.conf
    [openat] pid=3688 file=/proc/cmdline
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.dep.bin
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.alias.bin..
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.symbols.b..
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.builtin.a..
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/modules.builtin.b..
    [openat] pid=3688 file=/sys/module/algif_aead/initstate
    [openat] pid=3688 file=/sys/module/af_alg/initstate
    [openat] pid=3688 file=/sys/module/algif_aead/initstate
    [openat] pid=3688 file=/lib/modules/6.6.87.2-microsoft-standard-WSL2/kernel/crypto/alg..
    [finit_module] pid=3688 comm=modprobe fd=0 flags=0
    [module_load] pid=3688 comm=modprobe name=algif_aead

Restart WSL2, run the bpftrace, and try `sudo modprobe algif-aead`, and that shows it looking at (or I guess opening) other files in /etc/modprobe.d, including the new one.

The mystery is why.