https://status.sr2.uk/affected/single-sign-on/ Incident history github.com/cstate en 2026-04-29T09:00:00+00:00 2026-04-29T09:00:00+00:00 https://status.sr2.uk/issues/2026-04-29-copy-fail/ Wed, 29 Apr 2026 09:00:00 +0000 https://status.sr2.uk/issues/2026-04-29-copy-fail/ 2026-05-01 12:00:00 We were made aware of CVE-2026-31431 on the afternoon of the 29th April via our threat intelligence feeds and later via a CERT-EU advisory. This affected our systems running Rocky Linux 9 as well as our legacy systems running Debian 13. Patches were not immediately available however migrations could be applied. Rocky Linux 9 Most of our core systems, including those supporting internal infrastructure and single-sign on, are running Rocky Linux 9. <p>We were made aware of <a href="https://app.opencve.io/cve/CVE-2026-31431">CVE-2026-31431</a> on the afternoon of the 29th April via our threat intelligence feeds and later via a <a href="https://cert.europa.eu/publications/security-advisories/2026-005/">CERT-EU advisory</a>. This affected our systems running Rocky Linux 9 as well as our legacy systems running Debian 13. Patches were not immediately available however migrations could be applied.</p> <h2 id="rocky-linux-9">Rocky Linux 9</h2> <p>Most of our core systems, including those supporting internal infrastructure and single-sign on, are running Rocky Linux 9. This is based on Red Hat Enterprise Linux 9. Unfortunately, the kernel does not have the <code>algif_aead</code> subsystem compiled as a module and our only option was to prevent the code from initialising via adding kernel arguments at boot time and subsequently rebooting.</p> <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">grubby --update-kernel<span style="color:#f92672">=</span>ALL --args<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;initcall_blacklist=algif_aead_init&#34;</span> reboot </code></pre></div><p>Our Prometheus-based monitoring was able to verify all services returning after reboots.</p> <h2 id="debian-13">Debian 13</h2> <p>Some Link Secure Digital Helpdesks hosted on behalf of the Centre for Digital Resilience use our legacy deployment model. For these systems we were able to remove the offending module without requiring a reboot:</p> <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">echo <span style="color:#e6db74">&#34;install algif_aead /bin/false&#34;</span> &gt; /etc/modprobe.d/disable-algif-aead.conf rmmod algif_aead 2&gt;/dev/null </code></pre></div><h2 id="verification">Verification</h2> <p>To ensure that the mitigation was applied across all hosts, we use Ansible:</p> <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Verify CVE-2026-31431 mitigation</span> <span style="color:#f92672">ansible.builtin.command</span>: <span style="color:#e6db74">&#34;lsmod | grep -E &#39;^{{ item }}\\s&#39;&#34;</span> <span style="color:#f92672">loop</span>: - <span style="color:#ae81ff">algif_aead</span> <span style="color:#75715e"># copy fail</span> <span style="color:#f92672">register</span>: <span style="color:#ae81ff">module_check</span> <span style="color:#f92672">failed_when</span>: <span style="color:#ae81ff">module_check.rc != 1</span> <span style="color:#f92672">changed_when</span>: <span style="color:#66d9ef">false</span> <span style="color:#f92672">check_mode</span>: <span style="color:#66d9ef">false</span> </code></pre></div><p>We do not run any systems where unrelated users have shell access to the host, meaning that this could only have been used as part of a chain of vulnerabilities first involving obtaining remote code execution as a user. For this reason we do not believe any exploitation was possible in our systems.</p> <p>Further, an <a href="https://garrido.io/notes/podman-rootless-containers-copy-fail/">analysis of the protections offered by Podman</a> published shortly after by Gabriel Garrido details how our new deployment architecture would further have limited the &ldquo;blast radius&rdquo; of this kind of vulnerability should an exploitation have been possible.</p> <p>In light of this, we will be prioritising a move of the remaining Link helpdesks using the legacy model to our new Rocky Linux 9 model.</p> <p>As always, if you have any concerns please <a href="https://www.sr2.uk/support">contact our helpdesk</a>.</p>