From 6aa5bbd57755bd08d58a8f5095363ee64df7fd76 Mon Sep 17 00:00:00 2001
From: Sylvain Boily <4981802+djsly@users.noreply.github.com>
Date: Thu, 30 Apr 2026 15:58:05 -0400
Subject: [PATCH 1/4] fix: mitigate CVE-2026-31431 (Copy Fail) on Ubuntu VHDs

Disable algif_aead kernel module to mitigate local privilege escalation
vulnerability (CVSS 7.8 HIGH) until kernel fix is available (~21 days).

VHD build: Add 'install algif_aead /bin/false' to modprobe-CIS.conf
CSE provisioning: Apply runtime mitigation on existing VHDs (creates
modprobe config + rmmod if module is loaded)

Per Canonical advisory: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

AB#37761004

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 parts/linux/cloud-init/artifacts/cse_main.sh       | 10 ++++++++++
 parts/linux/cloud-init/artifacts/modprobe-CIS.conf |  3 +++
 2 files changed, 13 insertions(+)

diff --git a/parts/linux/cloud-init/artifacts/cse_main.sh b/parts/linux/cloud-init/artifacts/cse_main.sh
index ecb462150fc..81538d27d65 100755
--- a/parts/linux/cloud-init/artifacts/cse_main.sh
+++ b/parts/linux/cloud-init/artifacts/cse_main.sh
@@ -284,6 +284,16 @@ EOF
 
     logs_to_events "AKS.CSE.ensureSysctl" ensureSysctl || exit $ERR_SYSCTL_RELOAD
 
+    # CVE-2026-31431 (Copy Fail): Mitigate algif_aead LPE on Ubuntu nodes.
+    # Applies to existing VHDs that don't yet have the modprobe-CIS.conf fix baked in.
+    # Safe to run unconditionally — idempotent if already mitigated.
+    if [ "$OS" = "$UBUNTU_OS_NAME" ]; then
+        if ! grep -qs "algif_aead" /etc/modprobe.d/*.conf 2>/dev/null; then
+            echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif_aead.conf
+        fi
+        rmmod algif_aead 2>/dev/null || true
+    fi
+
     if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
         if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
             logs_to_events "AKS.CSE.ubuntuSnapshotUpdate" ensureSnapshotUpdate
diff --git a/parts/linux/cloud-init/artifacts/modprobe-CIS.conf b/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
index 22d942f625b..c5ed55f8474 100644
--- a/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
+++ b/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
@@ -25,3 +25,6 @@ blacklist hfsplus
 # 1.1.1.9 Ensure usb-storage kernel module is not available
 install usb-storage /bin/true
 blacklist usb-storage
+# CVE-2026-31431 (Copy Fail): Disable algif_aead to mitigate LPE vulnerability
+# until kernel fix is available. See https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
+install algif_aead /bin/false

From dba54ea27cd1c8238e80aaac4e4dd86d339d3438 Mon Sep 17 00:00:00 2001
From: Sylvain Boily <4981802+djsly@users.noreply.github.com>
Date: Thu, 30 Apr 2026 16:02:30 -0400
Subject: [PATCH 2/4] fix: extend CVE-2026-31431 mitigation to AzureLinux 3.0

The algif_aead vulnerability affects all Linux kernels >=4.15, not just
Ubuntu. Extend CSE runtime mitigation to also cover AzureLinux/Mariner.

VHD build was already covered since modprobe-CIS.conf is shared across
all OS builds (Ubuntu, AzureLinux, ACL, Flatcar).

Ubuntu 20.04 FIPS is also covered (same shared config + CSE path).

AB#37761004

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 parts/linux/cloud-init/artifacts/cse_main.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/cse_main.sh b/parts/linux/cloud-init/artifacts/cse_main.sh
index 81538d27d65..e10c165310d 100755
--- a/parts/linux/cloud-init/artifacts/cse_main.sh
+++ b/parts/linux/cloud-init/artifacts/cse_main.sh
@@ -284,10 +284,11 @@ EOF
 
     logs_to_events "AKS.CSE.ensureSysctl" ensureSysctl || exit $ERR_SYSCTL_RELOAD
 
-    # CVE-2026-31431 (Copy Fail): Mitigate algif_aead LPE on Ubuntu nodes.
+    # CVE-2026-31431 (Copy Fail): Mitigate algif_aead LPE vulnerability.
+    # Affects Ubuntu 20.04/22.04/24.04 and AzureLinux 3.0 (kernel >=4.15).
     # Applies to existing VHDs that don't yet have the modprobe-CIS.conf fix baked in.
     # Safe to run unconditionally — idempotent if already mitigated.
-    if [ "$OS" = "$UBUNTU_OS_NAME" ]; then
+    if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
         if ! grep -qs "algif_aead" /etc/modprobe.d/*.conf 2>/dev/null; then
             echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif_aead.conf
         fi

From a60dbbbfd0046b6625d31afd3cd75d027d9bf599 Mon Sep 17 00:00:00 2001
From: Sylvain Boily <4981802+djsly@users.noreply.github.com>
Date: Thu, 30 Apr 2026 16:18:31 -0400
Subject: [PATCH 3/4] fix: add blacklist directive and improve rmmod logging
 per review

- Add 'blacklist algif_aead' alongside install rule for CIS consistency
- Log success/failure of rmmod with actionable reboot guidance
- Only attempt rmmod when module is actually loaded

AB#37761004

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 parts/linux/cloud-init/artifacts/cse_main.sh       | 10 ++++++++--
 parts/linux/cloud-init/artifacts/modprobe-CIS.conf |  1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/cse_main.sh b/parts/linux/cloud-init/artifacts/cse_main.sh
index e10c165310d..2606a929409 100755
--- a/parts/linux/cloud-init/artifacts/cse_main.sh
+++ b/parts/linux/cloud-init/artifacts/cse_main.sh
@@ -290,9 +290,15 @@ EOF
     # Safe to run unconditionally — idempotent if already mitigated.
     if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
         if ! grep -qs "algif_aead" /etc/modprobe.d/*.conf 2>/dev/null; then
-            echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif_aead.conf
+            printf "install algif_aead /bin/false\nblacklist algif_aead\n" > /etc/modprobe.d/disable-algif_aead.conf
+        fi
+        if grep -q '^algif_aead ' /proc/modules 2>/dev/null; then
+            if rmmod algif_aead 2>/dev/null; then
+                echo "CVE-2026-31431: successfully unloaded algif_aead module"
+            else
+                echo "CVE-2026-31431: failed to unload algif_aead (in use), reboot required for full mitigation"
+            fi
         fi
-        rmmod algif_aead 2>/dev/null || true
     fi
 
     if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
diff --git a/parts/linux/cloud-init/artifacts/modprobe-CIS.conf b/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
index c5ed55f8474..312fabe3a5d 100644
--- a/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
+++ b/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
@@ -28,3 +28,4 @@ blacklist usb-storage
 # CVE-2026-31431 (Copy Fail): Disable algif_aead to mitigate LPE vulnerability
 # until kernel fix is available. See https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
 install algif_aead /bin/false
+blacklist algif_aead

From 633fdbd65e9fd1e52dae7b4aba6e597684754775 Mon Sep 17 00:00:00 2001
From: "aks-node-assistant[bot]"
 <190555641+aks-node-assistant[bot]@users.noreply.github.com>
Date: Fri, 1 May 2026 01:20:48 +0000
Subject: [PATCH 4/4] chore: auto-generate hotfix template entries

---
 parts/linux/cloud-init/nodecustomdata.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/parts/linux/cloud-init/nodecustomdata.yml b/parts/linux/cloud-init/nodecustomdata.yml
index b74cdeca6e9..7c55d4b0328 100644
--- a/parts/linux/cloud-init/nodecustomdata.yml
+++ b/parts/linux/cloud-init/nodecustomdata.yml
@@ -25,6 +25,16 @@ write_files:
     Any overridden files will be listed here - Hotfix mode
     Example: {{GetCSEHelpersScriptFilepath}}
 
+
+# ---- hotfix: auto-generated by hotfix-generate GH Action ----
+- path: /opt/azure/containers/provision.sh
+  permissions: "0744"
+  encoding: gzip
+  owner: root
+  content: !!binary |
+    {{GetVariableProperty "cloudInitData" "provisionScript"}}
+
+# ---- end hotfix ----
 {{- else }}
 - path: {{GetCSEHelpersScriptFilepath}}
   permissions: "0744"