Security Advisory: CVE-2026-31431 (Copy Fail) - 2nd round

01May 2026投稿者: mstauberカテゴリー: General

Updated Hotfix: We have since discovered that the initial mitigation was incomplete.

Important Update on Yesterday’s Hotfix

Yesterday we published a hotfix for CVE-2026-31431 via an updated swatch RPM. We have since discovered that the initial mitigation was incomplete on AlmaLinux 8/9/10 systems.

We sincerely apologize for the inconvenience and any false sense of security this may have caused. Security is our top priority, and we have now released a significantly improved second hotfix.

What was wrong with the first hotfix?

The first version relied on a simple modprobe blacklist for the algif_aead module. On Red Hat-based distributions (including AlmaLinux), the vulnerable code is compiled directly into the kernel, making the modprobe blacklist ineffective. Apparently we weren't the only ones who thought that this fix would work on RedHat clones, but luckily grsecurity on X (formerly Twitter) pointed out the issue and BlueOnyx user Janwillem Ronken alerted us as soon as he saw that. Many thanks!

What we changed this time (Improved 2nd Hotfix)

We have released a new updated swatch RPM that now depends on this patch (from Ivan Agarkov - many thanks!) and which we rolled into the new RPM blueonyx-cve-2026-31431-ebpf.

This second round implements a **layered mitigation**:

  • Persistent protection (after reboot): initcall_blacklist=af_alg_init applied via grubby to all installed kernels. This fully disables the entire AF_ALG subsystem at boot time. Obviously: That requires a reboot.
  • Immediate protection (no reboot needed): An eBPF-based socket filter that blocks AF_ALG socket creation for all non-root users. This is the same technique used by the widely discussed wg.copyfail.patch, but properly packaged and maintained for BlueOnyx.

Special handling for BlueOnyx 5210R (AlmaLinux 8)
Due to the older kernel and toolchain on EL8, we added a custom loader, systemd service, and fallback vmlinux.h generation so the eBPF program loads reliably.

Every run of the Active Monitor continues to verify and re-apply both layers automatically.

Please note: On Aventurin{e} 6110R, Incus and LXC only the virtualization node needs the update. Prioritize the updates accordingly.

What This Means for You

  • If you already installed yesterday’s swatch update, simply run dnf update again to receive the corrected packages.
  • The new mitigation is much stronger and actually effective.
  • No server restart is required for immediate protection (thanks to eBPF).
  • Normal operation of web, mail, databases, etc. remains completely unaffected.

Next Steps

  1. Update the packages:
    dnf clean all && dnf update -y
  2. Reboot at your convenience to activate the persistent initcall_blacklist layer.
  3. We will continue monitoring AlmaLinux errata and will notify you when the official patched kernel becomes available.

How to test if a server is secure?

That can be done this way:

sudo -u admin -g users python3 -c ' 
import socket 
try: 
    s = socket.socket(38, 5, 0)   # 38 = AF_ALG, 5 = SOCK_SEQPACKET 
    print("❌ AF_ALG socket creation succeeded") 
except Exception as e: 
    print("✅ Blocked:", e) 
'

Copy the entire block above and make sure not to forget the trailing ' at the end. Then paste it in a shell on the server you want to test. 

Questions?

If you run any custom software that legitimately requires AF_ALG (very rare), or if you have any concerns, please open a support ticket. We are happy to assist personally.

Thank you for your understanding, and again — our apologies for the initial incomplete fix. We have learned from this and improved our validation process going forward.

We take the security of your BlueOnyx servers very seriously.

— The BlueOnyx Team

May 01, 2026 カテゴリー: General 投稿者: mstauber
← ニュースへ戻る