Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-20229

disable CONFIG_CRYPTO_USER_API_AEAD in kernel config files

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • Lustre 2.18.0, Lustre 2.15.9
    • Lustre 2.18.0, Lustre 2.15.9
    • None
    • 3
    • 9223372036854775807

    Description

      The most current kernels for RHEL 8.10, 9.7, 10.1, SLES15 SP7, and SLES 16.0 contain the fix for the CVE-2026-31431 “Copy Fail” issue:

      kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)

      However, old kernels do not have this fix. We have to mitigate the issue at kernel-config level.

      The key kernel config tied to the CVE-2026-31431 “Copy Fail” issue is:

      CONFIG_CRYPTO_USER_API_AEAD

      That option enables the vulnerable algif_aead userspace crypto interface (AF_ALG AEAD sockets), which is the attack surface used by the exploit.

      To mitigate the issue at kernel-config level, we need to make the following change:

      # Disable vulnerable AEAD AF_ALG interface
CONFIG_CRYPTO_USER_API_AEAD=n

      Additional related options commonly disabled for hardening are:

      CONFIG_CRYPTO_USER_API=n
CONFIG_CRYPTO_USER_API_HASH=n
CONFIG_CRYPTO_USER_API_SKCIPHER=n
CONFIG_CRYPTO_USER_API_RNG=n

      Only CONFIG_CRYPTO_USER_API_AEAD is directly implicated in Copy Fail. The others just remove the broader AF_ALG userspace crypto API surface.

      Attachments

        Activity

          People

            yujian Jian Yu
            yujian Jian Yu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: