Want to make your system immune to copyfail (CVE-2026-31431) but compiled your kernel with CONFIG_CRYPTO_USER_API_AEAD=y so you can’t disable the module and don’t want to reboot? Use BPF-LSM to block AF_ALG sockets from being created!

/* SPDX-License-Identifier: GPL-2.0-or-later OR MIT */

#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>

#define EPERM 1
#define AF_ALG 38

char LICENSE[] SEC("license") = "Dual MIT/GPL";

SEC("lsm/socket_create")
int BPF_PROG(socket_create_block_af_alg, int family, int type, int protocol, int kern, int ret)
{
  if (ret) return ret;          /* don't override a previous denial */
  if (family == AF_ALG) return -EPERM;
  return 0;
}

Compile with clang -Wall -Wextra -Wno-unused-parameter -g -O2 -target bpf -c -o nocopyfail.o nocopyfail.c and load with bpftool prog load nocopyfail.o /sys/fs/bpf/nocopyfail autoattach (as root).