Share
## https://sploitus.com/exploit?id=0B7C34AD-0571-59D2-9F46-0A800FCA918A
# CVE-2026-31431 check

Quick, read-only checker for the `algif_aead` local-root vulnerability
([CVE-2026-31431](https://access.redhat.com/security/cve/CVE-2026-31431)).
Inspects kernel config, module state, AF_ALG socket reachability, and active
mitigations, then prints a verdict. **Does not run exploit code.**

## Usage

```bash
chmod +x cve-2026-31431.sh
./cve-2026-31431.sh           # full report
./cve-2026-31431.sh -q        # one-line summary (fleet runs)
./cve-2026-31431.sh -h        # help
```

Exit codes: `0` ok, `1` vulnerable / action needed, `2` unknown.

## What it checks

1. **`algif_aead`** โ€” built-in, loadable module, loaded, or absent (from
   `/boot/config-*`, `/proc/config.gz`, or `lsmod` fallback).
2. **AF_ALG socket** โ€” whether userspace can actually open one (uses Python if
   available; detects seccomp/LSM blocks).
3. **Mitigations** โ€” modprobe blacklist files, verifies the blacklist actually
   wins via `modprobe -n -v`, flags the common broken
   `DefaultRestrictAddressFamilies` systemd `[Manager]` attempt, reports
   SELinux / AppArmor status.
4. **Kernel package vs running** โ€” flags pending reboots when a newer kernel
   is installed but not active.

## Verdicts

- **OK** โ€” AF_ALG unreachable, module absent, or blacklist verified.
- **REBOOT NEEDED** โ€” patched kernel installed, not yet running.
- **VULNERABLE** โ€” module loaded, or built-in on an unpatched kernel.
- **AT RISK** โ€” module loadable and not blacklisted.
- **WAITING ON VENDOR PATCH** โ€” kernel is up to date but `algif_aead` is
  built-in and no fixed package exists yet.

## Stopgap mitigation

If the module is loadable (not built-in):

```bash
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```

If `algif_aead` is built into your kernel, only a kernel update fixes it.

## License

MIT โ€” see [LICENSE](LICENSE).