Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-20229

disable CONFIG_CRYPTO_USER_API_AEAD in kernel config files

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • Lustre 2.18.0, Lustre 2.15.9
    • Lustre 2.18.0, Lustre 2.15.9
    • None
    • 3
    • 9223372036854775807

      The most current kernels for RHEL 8.10, 9.7, 10.1, SLES15 SP7, and SLES 16.0 contain the fix for the CVE-2026-31431 “Copy Fail” issue:

      kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)
      

      However, old kernels do not have this fix. We have to mitigate the issue at kernel-config level.

      The key kernel config tied to the CVE-2026-31431 “Copy Fail” issue is:

      CONFIG_CRYPTO_USER_API_AEAD
      

      That option enables the vulnerable algif_aead userspace crypto interface (AF_ALG AEAD sockets), which is the attack surface used by the exploit.

      To mitigate the issue at kernel-config level, we need to make the following change:

      # Disable vulnerable AEAD AF_ALG interface
      CONFIG_CRYPTO_USER_API_AEAD=n
      

      Additional related options commonly disabled for hardening are:

      CONFIG_CRYPTO_USER_API=n
      CONFIG_CRYPTO_USER_API_HASH=n
      CONFIG_CRYPTO_USER_API_SKCIPHER=n
      CONFIG_CRYPTO_USER_API_RNG=n
      

      Only CONFIG_CRYPTO_USER_API_AEAD is directly implicated in Copy Fail. The others just remove the broader AF_ALG userspace crypto API surface.

            yujian Jian Yu
            yujian Jian Yu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: