I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.

Seems not fatal to all non-patched systems.

Denvercoder9 3 hours ago | parent | next [-]

Not having the module loaded doesn't mean you're not vulnerable, the kernel loads the module on-demand when it's needed. I tried the exploit on such a system, and it worked.

However, not having the module loaded does mean that in normal operation you don't need the module, so the proposed mitigation of disabling the module is safe in the sense that it won't disrupt anything.

▲

Skywalker13 3 hours ago | parent [-]

I don't know what exactly can load this module but the servers are running for many weeks and I suppose that if something will load this module, it stays loaded until the next reboot.. no ?

I tried to rmmod on all servers and rmmod always returns `ERROR: Module algif_aead is not currently loaded`, that's why I think it's fine. Of course I take a look on https://security-tracker.debian.org/tracker/CVE-2026-31431 for the updates.

	▲	Denvercoder9 3 hours ago \| parent [-]
		> I don't know what exactly can load this module Well, for one thing, opening an AF_ALG socket, as the exploit does.

▲

TacticalCoder 2 hours ago | parent | prev [-]

> I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.

But only Trixie (and testing/Sid) are patched (as I type this).

On Bookworm (and Bullseye), you want to add the module to list of blocked modules. It's a one-line change.