Eddak Inc.

CopyFail & DirtyFrag: Detecting vulnerable appliances

CopyFail (CVE-2026-31431) Verification

Output Analysis

For the algif_aead checks, the system is not vulnerable if all of the following hold:

  • Kernel version is outside the affected range (patched: 6.18.22+, 6.19.13+, or patch commit a664bf3d603d present)
  • find and modules.builtin return no results — module not present on disk and cannot be loaded
  • CONFIG_CRYPTO_USER_API_AEAD is absent or set to =n in the kernel config — module was never compiled

Important: lsmod returning no match for algif_aead is not a reliable safety indicator. Like esp4/esp6, algif_aead autoloads on demand when an unprivileged user opens an AF_ALG socket — the module may simply not have been triggered yet. The definitive checks are on-disk presence and kernel config, not runtime module state.

Any positive result (module found on disk or built-in, kernel unpatched) means the system is exposed and mitigation or patching is required.

For the DirtyFrag checks (esp4/esp6/rxrpc), empty output does not mean the system is safe. These modules are autoloaded on demand — an unprivileged user can trigger their loading simply by opening an AF_KEY or AF_RXRPC socket, without any prior activity visible in lsmod or ip xfrm. The correct assessment relies on kernel version and patch status, not runtime module state.

algif_aead Module Check

Identify the kernel and OS uname -r && cat /etc/os-release — confirm the kernel version and distribution.

Check kernel version uname -r — affected range is kernels 4.14 through 6.19.12 / 7.0-rc (unpatched). Patched versions: 6.18.22+, 6.19.13+, 7.0+. Vendor-specific backports may differ; cross-reference with the distribution advisory.

Check if the fix commit is present grep -r "a664bf3d603d" /proc/version_signature 2>/dev/null — looks for the upstream fix commit. Absence does not confirm vulnerability on its own (vendor kernels use backports) but is a useful signal on vanilla kernels.

Check if the module is currently loaded lsmod | grep algif_aead / cat /proc/modules | grep algif_aead — indicates whether the module is active at this moment. Note: a negative result does not confirm safety as the module autoloads on demand.

Check if the module exists on disk find /lib/modules/$(uname -r) -name "algif_aead*" / grep algif_aead /lib/modules/$(uname -r)/modules.builtin — determine whether the module is available as a loadable .ko or compiled into the kernel. Absence here means it cannot be loaded even by root.

Exhaustive search across all module index files ls | xargs cat > /tmp/fx && cat /tmp/fx | grep -E "algif" — dump all module metadata files and grep for any algif reference, ruling out the module being present under an unexpected name or path.

Check kernel build configuration zgrep CONFIG_CRYPTO_USER_API_AEAD /proc/config.gz / grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r) — confirm whether the module was compiled in. This is the definitive check.

Mitigation applied echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf — blacklist the module via modprobe to prevent any future loading, applied as a precaution regardless of findings.

DirtyFrag (CVE-2026-43284 / CVE-2026-43500) Veritication

DirtyFrag abuses the same page cache primitive as CopyFail but via the IPsec ESP (esp4/esp6) and RxRPC subsystems.

Check if modules exist on disk find /lib/modules/$(uname -r) -name "*esp4*" -o -name "*esp6*" -o -name "*rxrpc*" 2>/dev/null — if the modules are absent from the kernel tree, they cannot autoload regardless of what sockets are opened. This is the equivalent of the algif_aead on-disk check and is a reliable negative indicator.

Check kernel version uname -r — kernels built since January 2017 (esp4/esp6) or June 2023 (rxrpc) and unpatched as of May 2026 are in the affected range.

Check if fix commits are present grep -r "f4c50a4034e6\|aa54b1d27fe0" /proc/version_signature 2>/dev/null — looks for the upstream fix commits for CVE-2026-43284 and CVE-2026-43500 respectively. Absence means the patch is not applied.

Check kernel config flags grep -E "CONFIG_XFRM|CONFIG_NET_KEY|CONFIG_AF_RXRPC" /boot/config-$(uname -r) 2>/dev/null || zgrep -E "CONFIG_XFRM|CONFIG_NET_KEY|CONFIG_AF_RXRPC" /proc/config.gz — if any of these are set to =y or =m, the vulnerable subsystem is compiled in and loadable.

Check if unprivileged user namespaces are enabled cat /proc/sys/user/max_user_namespaces — a value greater than 0 allows unprivileged users to open the relevant sockets and trigger module autoloading. This is the exploitation enabler.

Check module blacklist cat /etc/modprobe.d/*.conf 2>/dev/null | grep -E "esp4|esp6|rxrpc" — confirm whether a blacklist is already in place.

Mitigation

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  > /etc/modprobe.d/dirtyfrag.conf; \
  rmmod esp4 esp6 rxrpc 2>/dev/null; \
  echo 3 > /proc/sys/vm/drop_caches; true"

Note: blacklisting esp4/esp6 breaks IPsec; blacklisting rxrpc breaks AFS client connectivity. Assess operational impact before applying.

Prev
ADSec102 - Protocol Security