{"uuid": "fc060951-4939-4911-8338-296cf6ec14d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-31431", "type": "seen", "source": "https://gist.github.com/martijnengler/af7e9116199ba7e8e6e1df7d4ca2ebbc", "content": "#!/bin/sh\n\n# https://www.transip.nl/knowledgebase/controleren-of-je-vps-ipsecesp-xfrm-of-rxrpcafs-gebruikt\n# https://www.transip.nl/knowledgebase/copy-fail-cve-2026-31431-je-linux-vps-controleren-en-patchen/#Controleer-en-update-je-Linux-VPS\n\nset -eu\n\nCONF=/etc/modprobe.d/dirtyfrag.conf\n\nusage() {\n  echo \"Usage: $0 [--check|--disable|--revert]\"\n  exit 1\n}\n\nrun() {\n  echo \"+ $*\"\n  \"$@\"\n}\n\ncheck_ipsec() {\n  echo \"== IPsec / XFRM ==\"\n  echo \"-- xfrm state --\"\n  ip xfrm state || true\n  echo \"-- xfrm policy --\"\n  ip xfrm policy || true\n\n  echo \"-- loaded IPsec-related modules --\"\n  lsmod | egrep '^(esp4|esp6|xfrm_user|xfrm_algo|af_key)' || true\n\n  echo \"-- known IPsec services --\"\n  systemctl --type=service | egrep 'strongswan|libreswan|ipsec|racoon' || true\n\n  echo \"-- IKE / NAT-T ports --\"\n  ss -lunp | egrep ':(500|4500)\\b' || true\n}\n\ncheck_rxrpc_afs() {\n  echo\n  echo \"== RxRPC / AFS ==\"\n  echo \"-- loaded RxRPC/AFS modules --\"\n  lsmod | egrep '^(rxrpc|kafs|openafs)' || true\n\n  echo \"-- AFS processes --\"\n  ps aux | egrep 'afs|openafs|kafs' | grep -v grep || true\n\n  echo \"-- AFS services --\"\n  systemctl --type=service | egrep 'afs|openafs' || true\n}\n\ndisable_dirtyfrag() {\n  if [ \"$(id -u)\" -ne 0 ]; then\n    echo \"Run with sudo for --disable\"\n    exit 1\n  fi\n\n  echo \"Writing $CONF\"\n  cat &gt; \"$CONF\" &lt;&lt;'EOF'\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\n  echo \"Unloading modules if currently loaded\"\n  rmmod esp4 esp6 rxrpc 2&gt;/dev/null || true\n\n  echo \"Dropping page cache\"\n  sh -c 'echo 3 &gt; /proc/sys/vm/drop_caches'\n\n  echo \"Done. Current relevant module status:\"\n  lsmod | egrep '^(esp4|esp6|rxrpc)' || echo \"OK: esp4/esp6/rxrpc not loaded\"\n}\n\nrevert_dirtyfrag() {\n  if [ \"$(id -u)\" -ne 0 ]; then\n    echo \"Run with sudo for --revert\"\n    exit 1\n  fi\n\n  rm -f \"$CONF\"\n  echo \"Removed $CONF\"\n  echo \"Reboot, or manually modprobe modules again if needed.\"\n}\n\nMODE=\"${1:---check}\"\n\ncase \"$MODE\" in\n  --check)\n    check_ipsec\n    check_rxrpc_afs\n    ;;\n  --disable)\n    check_ipsec\n    check_rxrpc_afs\n    echo\n    echo \"About to disable esp4, esp6, and rxrpc.\"\n    echo \"This can break IPsec VPNs and AFS/RxRPC.\"\n    printf \"Continue? [y/N] \"\n    read ans\n    case \"$ans\" in\n      y|Y|yes|YES) disable_dirtyfrag ;;\n      *) echo \"Aborted.\" ;;\n    esac\n    ;;\n  --revert)\n    revert_dirtyfrag\n    ;;\n  *)\n    usage\n    ;;\nesac", "creation_timestamp": "2026-05-08T17:50:09.000000Z"}