DLPX-97124 Add algif_aead modprobe disable to delphix-platform for CVE-2026-31431 (Copy Fail)

[david-mendez1]

Problem

CVE-2026-31431 ("Copy Fail") is a critical Linux kernel local privilege
escalation vulnerability (CVSS 7.8) that allows an unprivileged local
user to gain root by corrupting the page cache of setuid binaries via the
algif_aead module in the AF_ALG crypto API. It has known public exploits
and is listed in CISA's Known Exploited Vulnerabilities catalog.

Ubuntu released a mitigation via USN-8226-1, which updates the kmod
package to version 31+20240202-2ubuntu7.2. That version's postinst
script creates /etc/modprobe.d/disable-algif_aead.conf, blocking the
module from loading. However, engines built from the release branch use an
older apt mirror snapshot (kmod 31+20240202-2ubuntu7.1) that predates
USN-8226-1, so the mitigation file is absent and those engines remain
vulnerable.

No upstream kernel fix is available yet for Ubuntu 24.04 LTS — all
Delphix kernel repos (linux-kernel-aws, linux-kernel-generic,
linux-kernel-azure, linux-kernel-oracle, linux-kernel-gcp) still
carry the vulnerable crypto/algif_aead.c.

Solution

Add /etc/modprobe.d/disable-algif_aead.conf directly to
delphix-platform under files/common/etc/modprobe.d/, containing:

install algif_aead /bin/false

This ensures the algif_aead module is blocked at image build time,
independent of which kmod package version is present in the apt mirror
snapshot used during the build. The fix applies to all platforms (the file
lives under files/common/) and aligns with the mitigation content
already deployed on develop-branch engines via kmod 31+20240202-2ubuntu7.2.

The comment in the file notes that this should be re-evaluated once an
updated kernel containing the upstream fix
(git.kernel.org/stable/c/a664bf3d603d) is deployed.

Testing Done

Manually created /etc/modprobe.d/disable-algif_aead.conf on a release-branch
engine (dm-release.dlpxdc.co, kmod 31+20240202-2ubuntu7.1) and confirmed
the module is blocked:

root@ip-10-110-250-64:/etc/modprobe.d# sudo modprobe algif_aead
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module algif_aead: retcode 1
modprobe: ERROR: could not insert 'algif_aead': Invalid argument

The install algif_aead /bin/false rule is correctly intercepting the load
request and returning a non-zero exit code, preventing the module from being
inserted.

[prakashsurya]

code changes looks reasonable to me, but we should definitely verify the functionality works as intended.. I don't recall the specific details w.r.t. this file, and how it should be formatted, etc..

can you perhaps copy this file to an existing release VM, and verify it works like we want before landing?

[david-mendez1]

code changes looks reasonable to me, but we should definitely verify the functionality works as intended.. I don't recall the specific details w.r.t. this file, and how it should be formatted, etc..

can you perhaps copy this file to an existing release VM, and verify it works like we want before landing?

Copied the file and tested. Updated the Testing Done section.