## https://sploitus.com/exploit?id=0B7C34AD-0571-59D2-9F46-0A800FCA918A
# CVE-2026-31431 check
Quick, read-only checker for the `algif_aead` local-root vulnerability
([CVE-2026-31431](https://access.redhat.com/security/cve/CVE-2026-31431)).
Inspects kernel config, module state, AF_ALG socket reachability, and active
mitigations, then prints a verdict. **Does not run exploit code.**
## Usage
```bash
chmod +x cve-2026-31431.sh
./cve-2026-31431.sh # full report
./cve-2026-31431.sh -q # one-line summary (fleet runs)
./cve-2026-31431.sh -h # help
```
Exit codes: `0` ok, `1` vulnerable / action needed, `2` unknown.
## What it checks
1. **`algif_aead`** โ built-in, loadable module, loaded, or absent (from
`/boot/config-*`, `/proc/config.gz`, or `lsmod` fallback).
2. **AF_ALG socket** โ whether userspace can actually open one (uses Python if
available; detects seccomp/LSM blocks).
3. **Mitigations** โ modprobe blacklist files, verifies the blacklist actually
wins via `modprobe -n -v`, flags the common broken
`DefaultRestrictAddressFamilies` systemd `[Manager]` attempt, reports
SELinux / AppArmor status.
4. **Kernel package vs running** โ flags pending reboots when a newer kernel
is installed but not active.
## Verdicts
- **OK** โ AF_ALG unreachable, module absent, or blacklist verified.
- **REBOOT NEEDED** โ patched kernel installed, not yet running.
- **VULNERABLE** โ module loaded, or built-in on an unpatched kernel.
- **AT RISK** โ module loadable and not blacklisted.
- **WAITING ON VENDOR PATCH** โ kernel is up to date but `algif_aead` is
built-in and no fixed package exists yet.
## Stopgap mitigation
If the module is loadable (not built-in):
```bash
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```
If `algif_aead` is built into your kernel, only a kernel update fixes it.
## License
MIT โ see [LICENSE](LICENSE).