While waiting for the patch on Debian 12 here’s how to mitigate the issue
Get the test script to see if the system is vulnerable.
cd /usr/src
curl -O https://raw.githubusercontent.com/rootsecdev/cve_2026_31431/main/test_cve_2026_31431.py
python3 test_cve_2026_31431.py
Run the test script
python3 test_cve_2026_31431.py
If you are vulnerable you’ll get this:
[*] CVE-2026-31431 detector kernel=6.1.0-40-amd64 arch=x86_64
[i] Kernel 6.1.0-40-amd64 predates the affected 6.12/6.17/6.18 lines; trigger may not apply even if prerequisites match.
[+] AF_ALG + 'authencesn(hmac(sha256),cbc(aes))' loadable - precondition met.
[!] VULNERABLE to CVE-2026-31431.
[!] Marker b'PWND' (AAD seqno_lo) landed in the spliced page-cache page at offset 0.
[!] Surrounding bytes: 50574e444641494c2d53454e (b'PWNDFAIL-SEN')
[!] Apply the upstream fix or block algif_aead immediately.
Do this then reboot (it disables the module and upgrades the linux image.)
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
update-initramfs -u
apt-get update && apt-get upgrade linux-image-$(uname -r)
reboot
Run the test script again, if you see something like this you should be good.
[*] CVE-2026-31431 detector kernel=6.1.0-44-amd64 arch=x86_64
[i] Kernel 6.1.0-44-amd64 predates the affected 6.12/6.17/6.18 lines; trigger may not apply even if prerequisites match.
[+] AF_ALG + 'authencesn(hmac(sha256),cbc(aes))' loadable - precondition met.
[+] Page cache intact. NOT vulnerable on this kernel.