TC17 vulnerable to copy.fail (CVE-2026-31431)

[adb014]

For information the kernel config of TC17 includes

CONFIG_CRYPTO_USER_API_AEAD=y

and so the kernel of of TC17 is vulnerable to copy.fail and blacklisting the modprobe of algif_aeqd as suggested in some remediation guides is not possible. The easiest fix for this would be to recompile the kernel with

CONFIG_CRYPTO_USER_API_AEAD=n

though a better fix would be to update the kernel to 6.18.22 or later, or backporting the kernel patch for 6.18.22 (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8)

[Juanito]

Does this boot code disable the module?

Code: [Select]

initcall_blacklist=algif_aead_init

[adb014]

According to https://blog.cloudlinux.com/cve-2026-31431-copy-fail-mitigation-and-patches yes this will block the attack

[mjmouse]

Code: [Select]

initcall_blacklist=algif_aead_init


Unfortunately that doesn't, at least with TinyCore 16.

Scripts at https://github.com/rootsecdev/cve_2026_31431 (modifying /etc/passwd to have an id of 0000 in the line, and then having su misled into authenticating root) still work.

Code: [Select]

[    0.013375] Kernel command line: BOOT_IMAGE=/tce/boot/vmlinuz64 quiet syslog safe showapps vga=normal [...] initcall_blacklist=algif_aead_init initrd=/tce/boot/corepure64.gz
[    0.013678] initcall_blacklist requires CONFIG_KALLSYMS
[    0.013723] Unknown kernel command line parameters "syslog safe showapps BOOT_IMAGE=/tce/boot/vmlinuz64 vga=normal [...] initcall_blacklist=algif_aead_init", will be passed to user space.

(snipped out tce/etc parameters)

[adb014]

Looking that the kernel config of TC17

Code: [Select]

$ grep CONFIG_KALL config-6.18.2-tinycore64
# CONFIG_KALLSYMS is not set

Given the error message of mjmouse, TC17 will have the same problem