Skip to content

VisionaryBroadband/cve-patching

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
patch_cve_2026_31431.sh
patch_cve_2026_31431.sh
 
 
patch_cve_2026_31431.yml
patch_cve_2026_31431.yml
 
 

Repository files navigation

cve-patching

Shell Platform License

A collection of interim mitigation scripts for Linux kernel CVEs. Each script is self-contained, multi-distro, and pipe-to-shell safe.

patch_cve_2026_31431.sh — "CopyFail"

CVE-2026-31431 is a zero-day privilege escalation exploit targeting algif_aead, the kernel module that exposes the AEAD (Authenticated Encryption with Associated Data) crypto API to userspace via AF_ALG sockets. Exploitation allows an unprivileged local user to corrupt kernel memory through a crafted sequence of sendmsg calls, leading to arbitrary code execution in ring 0.

This script detects exposure, checks for kernel updates, identifies userspace processes that depend on the affected interface, applies a modprobe blacklist to block the module, and — when the module is compiled directly into the kernel — optionally applies an initcall_blacklist GRUB boot parameter as a secondary control.

What it does

The script runs the following steps in order, tracking the result of each for the final summary:

  1. Module exposure check — reads /proc/modules to determine whether algif_aead is currently loaded. A loaded module means the attack surface is live.

  2. Kernel update check — auto-detects the active package manager (apt, dnf, yum, zypper, pacman) and queries for available kernel updates. Prompts the user to install them before applying the modprobe patch.

  3. Kernel build configuration check — reads the running kernel's config from /boot/config-$(uname -r), /boot/config, or /proc/config.gz to determine whether CONFIG_CRYPTO_USER_API_AEAD is =m (loadable module) or =y (compiled in). See Built-in vs. loadable modules below.

  4. AF_ALG userspace consumer detection — scans for active processes using the AF_ALG crypto socket interface via lsof and ss -xa, matching against aead, skcipher, hash, algif, and af_alg. If any are found, lists the affected processes and asks whether to proceed. See AF_ALG consumer detection below.

  5. Modprobe blacklist patch — writes install algif_aead /bin/false to /etc/modprobe.d/disable-algif-aead.conf, then calls rmmod to unload the module if it is currently running.

  6. GRUB bootloader patch (conditional) — if the module is built-in (=y) and the user consented, appends initcall_blacklist=algif_aead_init to GRUB_CMDLINE_LINUX in /etc/default/grub and regenerates the GRUB config using whichever tool is present (grub2-mkconfig, update-grub, or grub-mkconfig) across known EFI and BIOS paths.

  7. Verification — re-reads /proc/modules to confirm the module is gone and greps /etc/modprobe* to confirm the patch file is present on disk.

  8. Final summary — prints a structured table covering exposure state at scan time, kernel update status, module build type, initcall_blacklist status, AF_ALG consumers detected, whether the user skipped patching, patch-on-disk confirmation, and current module load state. Concludes with a colour-coded overall verdict: remediated, partially remediated, unpatched by user choice, or incomplete.

Prerequisites

Requirement Notes
Linux Kernel 4.x or later
Bash 4+ Ships with all supported distros
sudo / root Required for modprobe, rmmod, and GRUB changes
lsof Recommended; used for AF_ALG socket scanning. Script degrades gracefully if absent.

Installation and usage

Option 1 — pipe to shell (fastest):

curl -fsSL https://raw.githubusercontent.com/VisionaryBroadband/cve-patching/main/patch_cve_2026_31431.sh | sudo bash

All interactive prompts use read </dev/tty, so the script behaves correctly in pipe-to-shell mode — it will still pause and ask for your input at each decision point rather than silently assuming defaults.

Option 2 — download and review first (recommended for production):

curl -fsSL https://raw.githubusercontent.com/VisionaryBroadband/cve-patching/main/patch_cve_2026_31431.sh -o patch_cve_2026_31431.sh
# review the script before executing
sudo bash patch_cve_2026_31431.sh

Built-in vs. loadable modules

The mitigation path depends on how the kernel was compiled:

Build type Config value Modprobe blacklist sufficient? GRUB patch needed?
Loadable module CONFIG_CRYPTO_USER_API_AEAD=m Yes No
Compiled in CONFIG_CRYPTO_USER_API_AEAD=y No — modprobe has no effect on built-ins Yes — requires initcall_blacklist=algif_aead_init and a reboot

Most distribution kernels ship algif_aead as a loadable module (=m). Custom or embedded kernels — and some vendor-hardened builds — may compile it in (=y). The script reads your running kernel's config automatically and routes to the correct path.

If the module is built-in and you decline the GRUB patch, the script will still apply the modprobe blacklist (no harm), report the system as partially remediated, and explicitly note that a reboot into a fixed kernel is required for full mitigation.

AF_ALG consumer detection

Before patching, the script checks whether any running processes are actively using the AF_ALG socket interface — the same interface algif_aead exposes. Disabling the module while these processes are running may cause them to fail or degrade. Common consumers include:

  • OpenSSL with the afalg engine enabled (hardware crypto offload)
  • libkcapi-based applications
  • WireGuard userspace tools on older kernels
  • Custom applications that bind crypto sockets directly using socket(AF_ALG, ...)

If the scan finds active consumers, their process names, PIDs, and socket details are printed. You are then prompted whether to proceed. The script does not automatically kill any processes — that decision is yours.

If lsof is not installed, the scan falls back to ss -xa alone. If neither tool finds anything, or if neither is available, the script notes this and continues.

Tested on

Distribution Version(s)
Ubuntu 22.04 LTS, 24.04 LTS
Debian 11 (Bullseye), 12 (Bookworm)
RHEL / CentOS Stream 8, 9
AlmaLinux / Rocky Linux 8, 9
Fedora 39, 40
SUSE Linux Enterprise / openSUSE Leap 15.5
Arch Linux Rolling (2026-04)

Disclaimer

This script is an interim workaround, not a permanent fix. Disabling algif_aead closes the immediate attack surface but may affect software that relies on the kernel's userspace crypto API. The definitive remediation is upgrading to a kernel version that contains the upstream patch for CVE-2026-31431.

Monitor your distribution's security advisories for a patched kernel release and plan an upgrade as soon as one is available for your platform.

License

MIT — Visionary Broadband

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages