Commit ead6ff782115

Vincent Demeester <vincent@sbr.pm>
2026-05-05 23:44:07
fix: mitigate CVE-2026-31431 (Copy Fail)
Blacklisted algif_aead kernel module across all hosts to prevent exploitation of the page-cache write LPE until nixpkgs ships a patched kernel with commit a664bf3d603d.
main
1 parent fb8eef0
Changed files (1)
systems
common
base
boot.nix
systems/common/base/boot.nix
@@ -2,6 +2,9 @@ _: {
   boot = {
     initrd.systemd.enable = true;
 
+    # CVE-2026-31431 (Copy Fail): disable algif_aead until kernel is patched
+    blacklistedKernelModules = [ "algif_aead" ];
+
     kernel.sysctl = {
       "net.ipv4.ip_forward" = 1;
       "net.ipv6.conf.all.forwarding" = 1;