Kubernetes DaemonSet agent from NorskHelsenett that detects and remediates CVE-2026-31431, an algif_aead Linux kernel flaw enabling unprivileged page-cache writes via AF_ALG sockets.
Key Takeaways
CVE-2026-31431 affects kernels 4.14 through 6.19.11/6.18.21; patched in 7.0+, 6.19.12+, 6.18.22+.
Agent runs every 5 minutes per node: checks kernel version, probes AF_ALG aead/authenc(hmac(sha256),cbc(aes)), then remediates.
Exposes Prometheus metrics on :9100/metrics with four gauges covering vulnerability, module reachability, and remediation status.
Ships Helm chart via GHCR OCI registry, raw manifests, ArgoCD Application, PodMonitor, and PrometheusRule with three severity-tiered alerts.
Hacker News Comment Review
Both commenters are skeptical: core technical correctness and trust model are questioned before any production consideration.
The blacklist remediation mode is flagged as ineffective: blacklisting only blocks automatic modprobe loading, not direct insmod or syscall-level module insertion.
Running a privileged node-level DaemonSet from an external author to patch a kernel issue is seen as trading one attack surface for another; the approach also fails entirely when algif_aead is compiled into the kernel (e.g. GKE) rather than loaded as a module.
Notable Comments
@antiloper: “blacklisting a kernel module only prevents modprobe from loading it automatically” – direct technical rebuttal of the blacklist mode’s security claim.
@cassianoleal: notes module unloading is a no-op when algif_aead is compiled into the kernel, as on GKE.
