All Products
Search

This Product

    Alibaba Cloud Linux:Mitigation for disabling AF_ALG on Alibaba Cloud Linux

    Document Center

    Alibaba Cloud Linux:Mitigation for disabling AF_ALG on Alibaba Cloud Linux

    Last Updated:May 07, 2026

    This document describes the risks of CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel, and provides a mitigation solution. This solution blocks the exploit path by preventing the creation of AF_ALG sockets. This solution applies only if your workloads do not depend on AF_ALG sockets.

    Warning

    1. After you deploy this solution, service processes that depend on AF_ALG sockets will be unable to create the relevant sockets, which may cause your services to become unavailable. If you cannot confirm with 100% certainty whether your services depend on AF_ALG sockets, do not deploy this solution.

    2. This solution carries stability risks and must be deployed gradually using a phased rollout. Do not deploy it to your entire production environment at once.

    3. During the phased rollout, closely monitor the stability, error logs, and performance metrics of affected workloads. If you notice any anomalies, roll back immediately.

    Background

    CVE-2026-31431 is a high-severity local privilege escalation vulnerability in the Linux kernel's algif_aead module.

    An attacker can exploit this vulnerability by crafting a specific sequence of AF_ALG socket calls. In combination with the splice() system call, this allows them to bypass standard permission checks and perform a 4-byte out-of-bounds write to an arbitrary page cache.

    An attacker can leverage this capability to tamper with the in-memory image of a setuid program, such as /usr/bin/su. This allows them to escalate from a regular user to root privilege without modifying the file's content on disk.

    For more details, see the security advisory: [Vulnerability Bulletin] Linux Kernel Local Privilege Escalation Vulnerability Risk Advisory (CVE-2026-31431).

    Limitations

    This mitigation solution makes the encryption and decryption functions that depend on AF_ALG sockets unavailable. This may affect services that rely on encryption and decryption functions. Before you implement this solution, you must evaluate whether your services have a dependency on AF_ALG sockets. If you cannot confirm whether your services depend on the AF_ALG socket feature, do not use this mitigation solution.

    This section provides methods to check if your workloads use the kernel's cryptographic API through AF_ALG sockets. You can use tools like auditd or eBPF to check for AF_ALG socket creation activity on your machine. The following example uses auditd:

    # First, ensure the auditd service is enabled
systemctl start auditd

# If your system has other audit rules configured, back them up and assess the impact first
# Add an audit rule for AF_ALG socket creation
auditctl -a always,exit -F arch=b64 -S socket -F a0=38 -k afalg_socket

# After letting it run for a while, check the audit results
ausearch -k afalg_socket -ts recent -i

# Expected result: If any process created an AF_ALG socket during this period, audit records will be displayed

# When finished, delete the audit rule for the AF_ALG socket
auditctl -d always,exit -F arch=b64 -S socket -F a0=38 -k afalg_socket
    Note

    The verification methods described above do not definitively rule out a dependency on AF_ALG. We recommend a thorough review of application source code, dependency lists, and runtime behavior.

    Procedure

    Important

    Before proceeding with the following deployment steps, confirm that your workloads do not depend on AF_ALG socket functionality and that you accept the resulting limitations on AF_ALG-related functions.

    Step 1: Check prerequisites

    Ensure the following prerequisites are met before deployment:

    1. The kernel has livepatch support enabled.

    2. The kernel-devel package for the running kernel version is installed.

    # 1. Confirm that the kernel-devel package is installed
# Check if the kernel-devel package for the current kernel version is installed
test -d "/lib/modules/$(uname -r)/build" && echo "kernel-devel OK" || echo "Please install kernel-devel-$(uname -r)"

# If you need to install the kernel-devel package manually
sudo yum install -y kernel-devel-$(uname -r)

# 2. Confirm that the kernel has livepatch support enabled
test -d /sys/kernel/livepatch && echo "livepatch sysfs OK"

    Step 2: Install the RPM package

    # 1. Download the RPM package for your operating system version. (The package URL is on an allowlist. Obtain the download link from DingTalk group 23149462.)

# 2. Install the corresponding RPM package for your operating system version. For example, on Alibaba Cloud Linux 3:
sudo yum install disable-af-alg-livepatch-1.0.0-1.al8.noarch.rpm
    If you change the running kernel version, you must reinstall the RPM package to apply the mitigation.

    Step 3: Verify the mitigation

    Method 1: Check livepatch status

    This method applies to Alibaba Cloud Linux 3 and Alibaba Cloud Linux 4:

    # Check the livepatch status
kpatch list

# Expected output: The mitigation is active if "disable_af_alg [enabled]" appears under "Loaded patch modules:".

    Method 2: Verify AF_ALG socket blocking

    Run the following Python script:

    python3 - <<'PY'
import socket, errno
try:
    s = socket.socket(38, socket.SOCK_SEQPACKET, 0)  # 38 = AF_ALG
    print("AF_ALG socket create: SUCCESS (Mitigation not active)")
    s.close()
except OSError as e:
    if e.errno == errno.EAFNOSUPPORT:
        print(f"AF_ALG socket create: FAILED (Mitigation active)")
    else:
        print(f"AF_ALG socket create: FAILED (Returned unexpected error),errno={e.errno}, msg={e.strerror}")
PY

    Rollback

    If you encounter workload issues after deployment, uninstall the mitigation solution:

    sudo yum remove disable-af-alg-livepatch

    After the uninstallation is complete, run the verification script again to confirm that AF_ALG socket creation is no longer blocked.