crodjer · May 2, 2026 17:07
diff --git a/copy-pass.yaml b/copy-pass.yaml
 # Mitigates CVE-2026-31431 (copy-fail) by unloading and blacklisting
 # the algif_aead kernel module if it has no active references.
 - name: Mitigate algif_aead vulnerability
  hosts: all
  become: true
  tasks:
    - name: Check if algif_aead is built into the kernel
      ansible.builtin.shell:
        cmd: grep -q 'crypto/algif_aead.ko' /lib/modules/$(uname -r)/modules.builtin
        executable: /bin/bash
      register: builtin_check
      failed_when: false
      changed_when: false

    - name: Alert and fail if module is built-in
      ansible.builtin.fail:
        msg: "algif_aead is compiled directly into the kernel."
      when: builtin_check.rc == 0

    - name: Check algif_aead module references
      ansible.builtin.shell:
        cmd: set -o pipefail && lsmod | awk '/^algif_aead / {print $3}'
        executable: /bin/bash
      register: ref_count
      changed_when: false

    - name: Unload algif_aead module
      community.general.modprobe:
        name: algif_aead
        state: absent
      when: ref_count.stdout == "0"

    - name: Prevent algif_aead from loading
      ansible.builtin.copy:
        dest: /etc/modprobe.d/blacklist-algif_aead.conf
        content: "install algif_aead /bin/true\n"
        mode: '0644'
      notify: Update initramfs
      when: ref_count.stdout == "0" or ref_count.stdout == ""

  handlers:
    - name: Update initramfs
      ansible.builtin.shell:
        cmd: |
          if command -v update-initramfs >/dev/null 2>&1; then
            update-initramfs -u
          elif command -v dracut >/dev/null 2>&1; then
            dracut -f
          fi
      changed_when: true
	# Mitigates CVE-2026-31431 (copy-fail) by unloading and blacklisting
	# the algif_aead kernel module if it has no active references.
	- name: Mitigate algif_aead vulnerability
	hosts: all
	become: true
	tasks:
	- name: Check if algif_aead is built into the kernel
	ansible.builtin.shell:
	cmd: grep -q 'crypto/algif_aead.ko' /lib/modules/$(uname -r)/modules.builtin
	executable: /bin/bash
	register: builtin_check
	failed_when: false
	changed_when: false

	- name: Alert and fail if module is built-in
	ansible.builtin.fail:
	msg: "algif_aead is compiled directly into the kernel."
	when: builtin_check.rc == 0

	- name: Check algif_aead module references
	ansible.builtin.shell:
	cmd: set -o pipefail && lsmod \| awk '/^algif_aead / {print $3}'
	executable: /bin/bash
	register: ref_count
	changed_when: false

	- name: Unload algif_aead module
	community.general.modprobe:
	name: algif_aead
	state: absent
	when: ref_count.stdout == "0"

	- name: Prevent algif_aead from loading
	ansible.builtin.copy:
	dest: /etc/modprobe.d/blacklist-algif_aead.conf
	content: "install algif_aead /bin/true\n"
	mode: '0644'
	notify: Update initramfs
	when: ref_count.stdout == "0" or ref_count.stdout == ""

	handlers:
	- name: Update initramfs
	ansible.builtin.shell:
	cmd: \|
	if command -v update-initramfs >/dev/null 2>&1; then
	update-initramfs -u
	elif command -v dracut >/dev/null 2>&1; then
	dracut -f
	fi
	changed_when: true
No results found