this post was submitted on 30 Apr 2026
333 points (98.0% liked)

Selfhosted

60093 readers
1156 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
333
Serious Linux vulnerability affecting nearly every system. Patch your systems. (copy.fail)
submitted 1 month ago by Flax_vert@feddit.uk to c/selfhosted@lemmy.world
74 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] StripedMonkey@lemmy.zip 8 points 1 month ago (1 children)

I continue to protest against this claim. Blacklisting the kernel module does not work for a bunch of distributions including Alma, Rocky, RHEL and others because they have this module built into the kernel. There's no module to remove. You must use a syscall blacklist or similar mechanism to disable this.

[–] ozymandias117@lemmy.world 6 points 1 month ago* (last edited 1 month ago) (1 children)

I'm working off the knowledge that OP is using a rolling release, so is likely fixed by that for them. (Arch based, Cachy, and OpenSUSE Tumbleweed all have it as a module, and are the most commonly suggested. Fedora fixed it 2 weeks ago since they follow mainline, so I'd expect Bazzite to have it too. If they're using Debian Sid/Testing, it's both fixed and a module)

If you're using something else, this eBPF filter is probably your best bet https://github.com/Dabbleam/CVE-2026-31431-mitigation

[–] StripedMonkey@lemmy.zip 5 points 1 month ago (1 children)

My personal suggestion would be to add initcall_blacklist=algif_aead_init to your kernel arguments. Ebpf is cool, but not a very trivial solution.

I understand the suggestion might apply to a random, unspecified distro but I disapprove of both the exploit authors and the general Internet suggesting fixes that don't apply to every distro (including copy.fail's AI slop RHEL distro that doesn't exist) without caveating it.

The kernel module blacklist won't work for every situation, if you're not being specific in telling people where it applies, it's best to suggest a solution that actually works regardless of distro or explain how to validate when it applies but nobody is doing that.

[–] ozymandias117@lemmy.world 3 points 1 month ago

Giving a better solution is certainly useful.

I'd used initcall_debug before, but not initcall_blacklist