undefined | Better HN

0 pointsmarshray26d ago0 comments

No it hasn't.

Ubuntu before 26.04 LTS (released a week ago) are currently listed as vulnerable.

Debian other than forky and sid are currently listed as vulnerable.

This is a disgrace.

0 comments

Disclosure timeline

    2026-03-23Reported to Linux kernel security team
    2026-03-24Initial acknowledgment
    2026-03-25Patches proposed and reviewed
    2026-04-01Patch committed to mainline
    2026-04-22CVE-2026-31431 assigned
    2026-04-29Public disclosure (https://copy.fail/)

kernel 6.19.14-arch1-1, the kernel in question from the parent comment, has been patched.

marshrayOP26d ago

The lesson here being... compile your own kernel from git sources every few days?

Give up entirely on non-virtualized container security?

This is not sarcasm. I'd finally given in and started learning about docker/podman-style OCI containerization last week.

john_strinlai26d ago

in this specific case, they offer an alternative mitigation if your chosen distro has not updated yet:

For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:

    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
    rmmod algif_aead 2>/dev/null

marshrayOP26d ago

Thanks!

I'd do 'umask 133' in front of the echo out of paranoia.

Out of curiosity, was the asterisk after '2>/dev/null' intentional? I had not seen that idiom before.

2 more replies

DooMMasteR25d ago

I mean, most Kernel version literally got the patch 2026.04.30, so just today.

x413225d ago

are you sure containerization would be more secure? this is also a rootless podman escape. the lesson here is to not give random people shell access to your systems.

j / k navigate · click thread line to collapse

0 comments

john_strinlai26d ago

Disclosure timeline

    2026-03-23Reported to Linux kernel security team
    2026-03-24Initial acknowledgment
    2026-03-25Patches proposed and reviewed
    2026-04-01Patch committed to mainline
    2026-04-22CVE-2026-31431 assigned
    2026-04-29Public disclosure (https://copy.fail/)

kernel 6.19.14-arch1-1, the kernel in question from the parent comment, has been patched.

marshrayOP26d ago

The lesson here being... compile your own kernel from git sources every few days?

Give up entirely on non-virtualized container security?

This is not sarcasm. I'd finally given in and started learning about docker/podman-style OCI containerization last week.

john_strinlai26d ago

in this specific case, they offer an alternative mitigation if your chosen distro has not updated yet:

For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:

    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
    rmmod algif_aead 2>/dev/null

marshrayOP26d ago

Thanks!

I'd do 'umask 133' in front of the echo out of paranoia.

Out of curiosity, was the asterisk after '2>/dev/null' intentional? I had not seen that idiom before.

2 more replies

DooMMasteR25d ago

I mean, most Kernel version literally got the patch 2026.04.30, so just today.

x413225d ago

are you sure containerization would be more secure? this is also a rootless podman escape. the lesson here is to not give random people shell access to your systems.

j / k navigate · click thread line to collapse