Skip to content

CONCEPT Cited by 1 source

AF_ALG — Linux kernel crypto socket family

AF_ALG is the Linux kernel's socket-family API for unprivileged user-space access to the kernel crypto API (the same subsystem that handles kTLS, IPsec, dm-crypt, etc.). Rather than calling the crypto API directly via a privileged kernel interface, user-space programs open a socket(AF_ALG, SOCK_SEQPACKET, 0), bind() to an algorithm template (e.g. hash, skcipher, aead), and exchange data using standard socket calls (sendmsg, recvmsg, splice). Three algorithm modules sit behind AF_ALG: algif_hash, algif_skcipher, and algif_aead (the Authenticated Encryption with Associated Data module). Canonical wiki framing from the 2026-05-07 Copy Fail response post.

Mechanism

An unprivileged program invokes the kernel crypto API as follows:

  1. Open and bind. socket(AF_ALG, SOCK_SEQPACKET, 0), then bind() to an algorithm template (e.g. type: "aead", name: "authencesn(hmac(sha256),cbc(aes))").
  2. Set key. setsockopt(ALG_SET_KEY) sets the symmetric key or HMAC key.
  3. Accept request socket. accept() returns a request- specific socket descriptor.
  4. Submit input. sendmsg() (copy-in) or splice() (zero-copy via page-cache references) supplies the input data.
  5. Execute. recvmsg() triggers the crypto operation and returns the output.

The splice() path is the structurally interesting one: it moves data by passing page-cache references rather than copying bytes. The kernel crypto API uses scatterlists — structures linking heterogeneous memory pages — and in 2017 algif_aead was optimised for in-place operations by chaining destination and reference pages together. This optimisation didn't enforce write-boundary constraints on the crypto algorithm, which is the root cause of Copy Fail.

Why AF_ALG is an interesting attack surface

  • Unprivileged by design. AF_ALG was deliberately built so ordinary programs could use the kernel crypto API. No capabilities required; available on essentially every modern Linux kernel with algif_* modules loaded.
  • Wide expressivity. Via bind() to algorithm templates, user-space can exercise a large portion of the kernel crypto implementation — including algorithms rarely triggered by core kernel services.
  • Kernel-internal bugs reachable. A bug in any algif-reachable algorithm (authencesn, chacha20poly1305, any AEAD combinator) is an unprivileged-reachable kernel bug. The kernel crypto API is a large codebase and not every algorithm sees equal scrutiny.
  • Scatterlist + splice mechanics are exotic. The splice() path chains page-cache pages into a crypto operation; most code paths don't exercise this combination, so latent bugs can persist for years (Copy Fail was a 2017 optimisation regression disclosed in 2026).

Legitimate users

In practice, only a small number of production services actively use AF_ALG. Cloudflare's fleet-wide measurement (2026-04-30) confirmed "our known internal service was the sole legitimate AF_ALG user" — giving enough coverage for a bpf-lsm allow-list to gate the subsystem without breaking anything. Typical legitimate callers include:

  • Specific cryptographic tooling that wants to benefit from kernel-accelerated algorithms without directly linking against a userspace crypto library.
  • Some performance-critical paths that want to use kernel crypto API implementations.
  • Cloudflare's one internal service that's allow-listed on their fleet (not publicly named in the 2026-05-07 post).

Mitigation levers

Three levers at different altitudes:

  1. Unload algif_* modules. Coarse. Breaks all legitimate callers of AF_ALG. The Copy Fail researchers' recommended workaround (modprobe blacklist for algif_aead). Cloudflare's attempt at this broke in staging on 2026-04-29 due to dependency conflicts.
  2. Deny AF_ALG bind at the LSM hook. Surgical. The socket_bind LSM hook fires on every bind() call; a bpf-lsm program can deny the hook for AF_ALG specifically, with an allow-list of legitimate binaries. The canonical Cloudflare Copy Fail mitigation (systems/cloudflare-bpf-lsm + patterns/bpf-lsm-allowlist-hook-denial).
  3. Remove algif_* from the kernel build entirely. Permanent attack- surface reduction at build time; stated as a Cloudflare follow-up "reduce attack surface of Linux Kernel" but not shipped in the 2026-05-07 post.

Seen in

  • 2026-05-07 — Cloudflare Copy Fail response. Canonical wiki first-class page for the AF_ALG socket family. AF_ALG + algif_aead is the exploitation surface for CVE-2026-31431; socket_bind is the LSM hook the bpf-lsm mitigation denies; ebpf_exporter tracks per- binary socket(AF_ALG, ...) calls for the visibility phase of the mitigation rollout. (Source: sources/2026-05-07-cloudflare-copy-fail-linux-vulnerability-response)
Last updated · 451 distilled / 1,324 read