Post · Bonfire social

@jwildeboer@social.wildeboer.net · 3 days ago

Fresh gist: mitigating CVE-2026-31431 ("Copy Fail") on RHEL 8/9/10 with a tiny Ansible playbook.

It blacklists algif_aead via a kernel boot arg (initcall_blacklist=algif_aead_init), reboots only when needed, and asserts the mitigation actually stuck after reboot. Idempotent & safe to re-run.

https://codeberg.org/Larvitz/gists/src/branch/main/2026/20260501-CVE-2026-31431_RHEL_Mitigation.md

#Ansible #RHEL #Linux #InfoSec #SysAdmin #DevOps #CVE #CVE_2026_31431 #copyfail

Here is @Larvitz gist that gives you an Ansible playbook to deploy the mitigation on (big) fleets: https://burningboard.net/@Larvitz/116498775760655365

3/4

Jan Wildeboer 😷:krulorange:

@jwildeboer@social.wildeboer.net replied · 3 days ago

Some more details from our CVE page on CVE-2026-31431 at https://access.redhat.com/security/cve/cve-2026-31431 For more infos also on availability of updates see https://nvd.nist.gov/vuln/detail/CVE-2026-31431and https://www.cve.org/CVERecord?id=CVE-2026-31431

2/4

https://www.cve.org/CVERecord?id=CVE-2026-31431

cve-details

General guidance which is applicable to many products is below. Warning: there may be performance impacts for modifying functionality that uses kernel cryptographic functions. Though the affected module cannot be blacklisted, the affected functions themselves can be using the following boot arguments:

initcall_blacklist=algif_aead_init

Alternatively, the af_alg interface itself can be blocked:

initcall_blacklist=af_alg_init

As a further alternative, the affected algorithm can be blocked:

initcall_blacklist=crypto_authenc_esn_module_init — General guidance which is applicable to many products is below. Warning: there may be performance impacts for modifying functionality that uses kernel cryptographic functions. Though the affected module cannot be blacklisted, the affected functions themselves can be using the following boot arguments: initcall_blacklist=algif_aead_init Alternatively, the af_alg interface itself can be blocked: initcall_blacklist=af_alg_init As a further alternative, the affected algorithm can be blocked: initcall_blacklist=crypto_authenc_esn_module_init

Jan Wildeboer 😷:krulorange:

@jwildeboer@social.wildeboer.net replied · 3 days ago

Here is @Larvitz gist that gives you an Ansible playbook to deploy the mitigation on (big) fleets: https://burningboard.net/@Larvitz/116498775760655365

3/4

Jan Wildeboer 😷:krulorange:

@jwildeboer@social.wildeboer.net replied · 3 days ago

The TL;DR of #CopyFail in my opinion: Due to an unusual (I personally think irresponsible) disclosure, we sysadmins are now dealing with having to push out an immediate mitigation until the updated kernel packages become available. I am trying to help in a pragmatic way. This too will pass, but it also shows that running Linux servers comes with responsibilities to protect your machines and users.

4/4

Jan Wildeboer 😷:krulorange:

@jwildeboer@social.wildeboer.net replied · 3 days ago

ADDENDUM: Now also a blog post at https://jan.wildeboer.net/2026/05/PSA-CopyFail-CVE-2026-31431/

Jan Wildeboer's Blog

PSA on Copy Fail (CVE-2026-31431)

This is a short PSA (Public Service Announcement) on how I dealt with the Copy Fail vulnerability. This will be updated as soon as the updated kernel packages are made available. This is a pragmatic post on how to deploy a mitigiation RIGHT NOW.

⁂

Bonfire social

Bonfire social: About · Code of conduct · Privacy ·

Bonfire social · 1.0.0-rc.3.6 no JS en

Automatic federation enabled