https://vulnerability.circl.lu/comments/feedMost recent comments.2026-05-01T19:03:35.998477+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent comments.https://vulnerability.circl.lu/comment/015dc7f6-33e1-49b4-af56-d27f0111165aQuick remediation2026-05-01T19:03:36.003424+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulau# Kernel module (without reboot)
If your system use dynamic loading of kernel module, the following can be done:
`rmmod algif_aead` to ensure that the module is not loaded
Create and edit the file `/etc/modprobe.d/disable-algif.conf` and add `install algif_aead /bin/false`
# Kernel with algif_aead (such as RedHat)
Based on the following [https://csirt.egi.eu/2026/04/30/critical-vulnerability-in-linux-kernel/](https://csirt.egi.eu/2026/04/30/critical-vulnerability-in-linux-kernel/) reference, this can be done:
`sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"; sudo reboot" `
which will require a reboot.
# BPF filtering
There are also options there.2026-04-30T10:07:37.569122+00:00https://vulnerability.circl.lu/comment/22701e2f-15d4-44db-9df9-7e7cdb26d102Microsoft WSL is also vulnerable2026-05-01T19:03:36.003361+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulauhttps://github.com/microsoft/WSL/issues/403652026-04-30T15:40:35.429386+00:00https://vulnerability.circl.lu/comment/5e9c3f17-4570-484f-9113-fab5ca85b815Deny alg_socket to Containers with SELinux to Mitigate CVE‑2026‑314312026-05-01T19:03:36.002175+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulau[Original blog post](https://blog.feistel.party/2026/04/30/deny-alg-socket-to-containers-with-selinux-to-mitigate-cve-2026-31431.html)
# Deny alg_socket to Containers with SELinux to Mitigate CVE‑2026‑31431 | Blog•Feistel•Party
[CVE-2026-31431 or “Copy Fail”](https://xint.io/blog/copy-fail-linux-distributions) is a bug in the Linux kernel’s implementation of the AF\_ALG socket type that exposes the kernel’s crypto subsystem to unprivileged userspace. Because most applications don’t use this and there is a risk of container escape, it makes sense to deny access.
In the example below, I’m using the `fish` shell with an SELinux userspace release after 3.6 which is when support for deny rules was added.
opc@sparkling ~\> \# remove rule for testing
opc@sparkling ~\> sudo semodule \-r psub-container-alg
libsemanage.semanage\_direct\_remove\_key: Removing last psub-container-alg module (no other psub-container-alg module exists at another priority).
opc@sparkling ~\> sudo podman run \-ti \--rm alpine/openssl engine \-t \-c \-vv afalg
(afalg) AFALG engine support
\[AES-128-CBC, AES-192-CBC, AES-256-CBC\]
\[ available \]
opc@sparkling ~\> sudo semodule \-i (sesearch \-A \-s container\_ \-rs \-c alg\_socket \-p create | egrep \-v unconfined | sed 's/^allow/\\(deny/; s/:/ \\(/; s/{/\\(/; s/};/)))/' | psub \-s \-container-alg.cil)
opc@sparkling ~\> sudo podman run \-ti \--rm alpine/openssl engine \-t \-c \-vv afalg
20DD97B0FFFF0000:error:4000006D:lib(128)::reason(109):engines/e\_afalg.c:882:
20DD97B0FFFF0000:error:1300006D:engine routines:dynamic\_load:init failed:crypto/engine/eng\_dyn.c:498:
20DD97B0FFFF0000:error:13000074:engine routines:ENGINE\_by\_id:no such engine:crypto/engine/eng\_list.c:470:id=afalg
opc@sparkling ~ \[1\]\> \# :)
opc@sparkling ~ \[1\]\>
### Alternative Mitigations
[Red Hat suggests](https://access.redhat.com/security/cve/cve-2026-31431) an `initcall_blacklist` in the boot arguments.
[Lennart Poettering’s advice for CVE-2016-8655](https://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html) should also work for CVE‑2026‑31431 by using `RestrictAddressFamilies=~AF_ALG` on a per-service basis. In my testing this works for both containers and other services. [R-fx Networks pairs](https://www.rfxn.com/research/copyfail-cve-2026-31431) this with `SystemCallArchitectures=native`.
user@serv ~\> sudo systemd-run \--pty \--wait \--collect podman run \-ti \--rm alpine/openssl engine \-t \-c \-vvv afalg
Running as unit: run-u3914.service
Press ^\] three times within 1s to disconnect TTY.
(afalg) AFALG engine support
\[AES-128-CBC, AES-192-CBC, AES-256-CBC\]
\[ available \]
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 548ms
user@serv ~\> sudo systemd-run \--pty \--wait \--collect \-p 'RestrictAddressFamilies=~AF\_PACKET AF\_ALG' podman run \-ti \--rm alpine/openssl engine \-t \-c \-vvv afalg
Running as unit: run-u3923.service
Press ^\] three times within 1s to disconnect TTY.
280B94F7067F0000:error:4000006D:lib(128)::reason(109):engines/e\_afalg.c:882:
280B94F7067F0000:error:1300006D:engine routines:dynamic\_load:init failed:crypto/engine/eng\_dyn.c:498:
280B94F7067F0000:error:13000074:engine routines:ENGINE\_by\_id:no such engine:crypto/engine/eng\_list.c:470:id=afalg
Finished with result: exit-code
Main processes terminated with: code=exited/status=1
Service runtime: 563ms
user@serv ~ \[1\]\> sudo systemd-run \--pty \--wait \--collect openssl engine \-t \-c \-vvv afalg
Running as unit: run-u3932.service
Press ^\] three times within 1s to disconnect TTY.
(afalg) AFALG engine support
\[AES-128-CBC, AES-192-CBC, AES-256-CBC\]
\[ available \]
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 8ms
user@serv ~\> sudo systemd-run \--pty \--wait \--collect \-p 'RestrictAddressFamilies=~AF\_PACKET AF\_ALG' openssl engine \-t \-c \-vvv afalg
Running as unit: run-u3935.service
Press ^\] three times within 1s to disconnect TTY.
139718332651328:error:8006406D:lib(128):func(100):reason(109):engines/e\_afalg.c:800:
139718332651328:error:260B606D:engine routines:dynamic\_load:init failed:crypto/engine/eng\_dyn.c:485:
139718332651328:error:2606A074:engine routines:ENGINE\_by\_id:no such engine:crypto/engine/eng\_list.c:334:id=afalg
Finished with result: exit-code
Main processes terminated with: code=exited/status=1
Service runtime: 7ms
user@serv ~ \[1\]\>
### Questions about SELinux
#### Why was support for deny rules only added to the SELinux userspace in 2023?
#### Why is the output of `sesearch` so dissimilar to the input of `semanage` ?
#### What is the purpose of `allow unconfined_domain_type domain:alg_socket` and does leaving this rule alone ruin the mitigation?
opc@sparkling ~\> seinfo \-a unconfined\_domain\_type \-x | grep \-E '(contain|^\\w|^\\s{3})\\w'
Type Attributes: 1
attribute unconfined\_domain\_type;
container\_runtime\_t
opc@sparkling ~\>
This relates to `container_runtime_t`. This is [for privileged containers in rootless mode](https://www.redhat.com/en/blog/privileged-flag-container-engines) and [for the container management engine itself](https://criu.org/Security_Enhanced_Linux). So it’s probably OK.2026-05-01T12:15:18.046173+00:00