受影响的操作系统
- Ubuntu
- RHEL
- SUSE Linux
- Rokcy
统信 :
kernel:4.1.90
Centos8
kernel:4.18.0
这 4 个系统均为国产/国内常用 Linux 发行版,内核版本覆盖 4.18 ~ 5.10 区间,均在漏洞影响范围(kernel 4.14+)内。
- 测试方式:运行本地的 check.py 脚本,检测 AF_ALG socket 是否可创建。
- CentOS Stream 8 上系统没有安装 python,但有 python3,仍可触发。
- 结合 README 中已测试的 Ubuntu/Amazon Linux/RHEL/SUSE,该 CVE 对国内主流服务器操作系统同样全面覆盖
如何在目前kernel版本不清楚情况下脚本检测:
不破坏业务系统情况下进行自查:
# 快速验证系统是否可创建 AF_ALG socket(输出 VULNERABLE 则存在风险)
import sockettry: # 38 = AF_ALG, 5 = SOCK_SEQPACKETsocket.socket(38, 5, 0).bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))print("[!] WARNING: System allows AF_ALG socket creation. Likely vulnerable.")except Exception as e:print(f"[+] SAFE: Cannot create socket. ({e})")
1.可能存在漏洞:

2.一定不存在漏洞

# 检查是否有进程使用 AF_ALG
lsof 2>/dev/null | grep AF_ALG
#!/usr/bin/env bash# ============================================================# CVE-2026-31431 批量 SSH 检测脚本 (Bash 版)## 用法:# chmod +x batch_check.sh# ./batch_check.sh # 默认读 hosts.txt# ./batch_check.sh other_hosts.txt # 指定其它清单## 环境变量可覆盖:# SSH_USER 默认 ssh 用户(hosts.txt 中未带 user@ 时使用)# SSH_PORT 默认 22# SSH_KEY 私钥路径(可选)# PARALLEL 并发数,默认 10# CONNECT_TO 连接超时(秒),默认 5# EXEC_TO 执行超时(秒),默认 15# ============================================================set -uSCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"HOSTS_FILE="${1:-${SCRIPT_DIR}/hosts.txt}"CHECK_SCRIPT="${SCRIPT_DIR}/check.py"RESULT_FILE="${SCRIPT_DIR}/result.log"SSH_USER="${SSH_USER:-}"SSH_PORT="${SSH_PORT:-22}"SSH_KEY="${SSH_KEY:-}"PARALLEL="${PARALLEL:-10}"CONNECT_TO="${CONNECT_TO:-5}"EXEC_TO="${EXEC_TO:-15}"SSH_OPTS=( -o "ConnectTimeout=${CONNECT_TO}" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" -o "BatchMode=yes" -o "LogLevel=ERROR" -p "${SSH_PORT}")[[ -n "${SSH_KEY}" ]] && SSH_OPTS+=( -i "${SSH_KEY}" )color() { case "$1" in red) printf '\033[31m%s\033[0m' "$2" ;; green) printf '\033[32m%s\033[0m' "$2" ;; yellow) printf '\033[33m%s\033[0m' "$2" ;; *) printf '%s' "$2" ;; esac}[[ -f "${HOSTS_FILE}" ]] || { echo "[-] hosts file not found: ${HOSTS_FILE}"; exit 1; }[[ -f "${CHECK_SCRIPT}" ]] || { echo "[-] check.py not found: ${CHECK_SCRIPT}"; exit 1; }: > "${RESULT_FILE}"{ echo "=== CVE-2026-31431 Batch Check ===" echo "time : $(date '+%F %T')" echo "hosts: ${HOSTS_FILE}" echo "----------------------------------"} | tee -a "${RESULT_FILE}"check_host() { local target="$1" local host user if [[ "${target}" == *"@"* ]]; then user="${target%@*}" host="${target#*@}" else user="${SSH_USER}" host="${target}" fi local connect="${host}" [[ -n "${user}" ]] && connect="${user}@${host}" local out rc status os_info out=$(timeout "${EXEC_TO}" ssh "${SSH_OPTS[@]}" "${connect}" 'python3 -' < "${CHECK_SCRIPT}" 2>&1) rc=$? if [[ ${rc} -ne 0 ]]; then printf '[%-22s] %s rc=%d | %s\n' "${connect}" "$(color red ERROR)" "${rc}" "$(echo "${out}" | head -n1)" \ | tee -a "${RESULT_FILE}" return fi if grep -q "Likely vulnerable" <<<"${out}"; then status="$(color red VULNERABLE)" raw="VULNERABLE" else status="$(color green SAFE)" raw="SAFE" fi os_info=$(timeout "${EXEC_TO}" ssh "${SSH_OPTS[@]}" "${connect}" \ "awk -F= '/^PRETTY_NAME/{gsub(/\"/,\"\",\$2);print \$2}' /etc/os-release; uname -r" 2>/dev/null \ | paste -sd' | ' -) printf '[%-22s] %s | %s\n' "${connect}" "${status}" "${os_info}" printf '[%-22s] %s | %s\n' "${connect}" "${raw}" "${os_info}" >> "${RESULT_FILE}"}export -f check_host colorexport SSH_OPTS_STR="${SSH_OPTS[*]}"export CHECK_SCRIPT RESULT_FILE SSH_USER EXEC_TO# Re-export array via wrapper because bash arrays don't survive `xargs -I`._wrapper() { # shellcheck disable=SC2086 SSH_OPTS=( ${SSH_OPTS_STR} ) check_host "$1"}export -f _wrappergrep -vE '^[[:space:]]*(#|$)' "${HOSTS_FILE}" \ | xargs -n1 -P "${PARALLEL}" -I{} bash -c '_wrapper "$@"' _ {}echo "----------------------------------" | tee -a "${RESULT_FILE}"echo "完成,结果已保存到: ${RESULT_FILE}"
参考链接:
https://copy.fail/
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues
