About CVE-2026-31431 (copy.fail)

[LatinSuD]

I have a question about this vulnerability. My actual concern is that the standard mitigation does not work for me.

I have tried this as root, then rebooted WSL, but I can still successfully exploit it again.
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

More specifically, manually loading the module is prevented (modprobe algif_aead), but the infamous python code is able to load it. I guess the only workaround is to delete the .ko file.

Does anyone know why is this?

[cs-lassan]

Hi
IDK if you fixed this yet, here is what I know:
(I use Ubuntu24 in WSL2)

1. you can see the vulnerable module is built into the kernel:

gzip -dc /proc/config.gz | grep -i aead

2. this means the module is sitting in RAM after boot even if it is not loaded (yet)
3. tho the stopgap fix is in the modprobe.d/disable-copyfail.conf or whatever, it won't prevent the kernel from loading the modules already in RAM as this mechanism ignores modprobe.conf
4. but it will happily stop modprobe to load it

One solution is to:

1. create or edit C:\Users\%YourUsername%\.wslconfig
2. add this line to the [wsl2] section:

kernelCommandLine=module_blacklist=algif_aead

3. my actual "fix" is this, to handle copy/fail's siblings:

kernelCommandLine=module_blacklist=algif_aead,esp4,esp6,rxrpc

Hope this helps.

[LatinSuD]

It's not prebuilt in my case. Also, if I delete the .ko file it prevents the loading.

At this moment I'm using kernel 6.6.114.1-microsoft-standard-WSL2.

I hope it's not the antivirus messing around.