-
Notifications
You must be signed in to change notification settings - Fork 258
[cherry-pick v20260424] fix: mitigate CVE-2026-31431 (Copy Fail) algif_aead LPE #8444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
6aa5bbd
dba54ea
a60dbbb
633fdbd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -284,6 +284,23 @@ EOF | |
|
|
||
| logs_to_events "AKS.CSE.ensureSysctl" ensureSysctl || exit $ERR_SYSCTL_RELOAD | ||
|
|
||
| # CVE-2026-31431 (Copy Fail): Mitigate algif_aead LPE vulnerability. | ||
| # Affects Ubuntu 20.04/22.04/24.04 and AzureLinux 3.0 (kernel >=4.15). | ||
| # Applies to existing VHDs that don't yet have the modprobe-CIS.conf fix baked in. | ||
| # Safe to run unconditionally — idempotent if already mitigated. | ||
| if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then | ||
| if ! grep -qs "algif_aead" /etc/modprobe.d/*.conf 2>/dev/null; then | ||
| printf "install algif_aead /bin/false\nblacklist algif_aead\n" > /etc/modprobe.d/disable-algif_aead.conf | ||
| fi | ||
| if grep -q '^algif_aead ' /proc/modules 2>/dev/null; then | ||
| if rmmod algif_aead 2>/dev/null; then | ||
| echo "CVE-2026-31431: successfully unloaded algif_aead module" | ||
| else | ||
| echo "CVE-2026-31431: failed to unload algif_aead (in use), reboot required for full mitigation" | ||
| fi | ||
|
Comment on lines
+295
to
+300
|
||
| fi | ||
| fi | ||
|
|
||
| if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then | ||
| if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then | ||
| logs_to_events "AKS.CSE.ubuntuSnapshotUpdate" ensureSnapshotUpdate | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -25,3 +25,7 @@ blacklist hfsplus | |||||
| # 1.1.1.9 Ensure usb-storage kernel module is not available | ||||||
| install usb-storage /bin/true | ||||||
| blacklist usb-storage | ||||||
| # CVE-2026-31431 (Copy Fail): Disable algif_aead to mitigate LPE vulnerability | ||||||
| # until kernel fix is available. See https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available | ||||||
| install algif_aead /bin/false | ||||||
|
||||||
| install algif_aead /bin/false | |
| install algif_aead /bin/true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idempotency check treats any occurrence of the string
algif_aeadin any/etc/modprobe.d/*.confas “already mitigated”. That can produce false positives (e.g., comments/aliases) and skip writing the requiredinstall ... /bin/false+blacklist ...rules. Consider checking specifically for the required directives (or ensuring the expected file exists with correct contents) before deciding to skip creating/updating the mitigation file.