www.it-connect.fr
Linux Kill Switch Proposed After CopyFail and Dirty Frag
Following the discovery of the critical CopyFail and Dirty Frag security flaws in Linux kernel components, a maintainer has proposed an idea: adding a kill switch, or emergency stop button, to the Linux kernel. The goal? Temporarily disable vulnerable functions while waiting for an official fix.
An idea in response to CopyFail and Dirty Frag
Recently, two critical vulnerabilities affecting the Linux kernel were disclosed: Copy Fail and Dirty Frag. Beyond the severity of these vulnerabilities, the real issue was that they were disclosed before patches were available.
Sasha Levin, an engineer at NVIDIA and a contributor to the Linux kernel stable branch, proposed adding an emergency mechanism, commonly known as a "kill switch." This sort of emergency stop button would allow administrators to reduce system exposure during the period between public disclosure of a vulnerability and deployment of the security fix.
How would this Linux kill switch work?
Sasha Levin would like this feature to allow a kernel function deemed vulnerable after a flaw disclosure to be disabled. An administrator with sufficient privileges could easily disable the function in question, and the action would be applied through the securityfs interface. This leads me to think that cybercriminals could also hijack this kill switch for their own benefit: that must be part of the overall discussion as a potential risk.
When the kill switch is active for a kernel function, that function would simply return an error instead of running normally. In the context of the Copy Fail vulnerability (CVE-2026-31431), this would make it possible to block the affected component: AF_ALG.
In practice, it would therefore be possible to enable this circuit breaker for a specific function at runtime. Since the Linux kernel contains a huge number of them, very precise targeting of the affected component or components is possible. Even so, it will be necessary to remain cautious about possible side effects: the emergency stop button is not meant to check whether a function is in use before disabling it, otherwise it would not deserve that name.
"Many recent kernel issues involve modules that most installations enable only to meet the needs of a minority of users: AF_ALG, ksmbd, nf_tables, vsock, ax25, and others. For most users, the cost of having 'this socket family stop working for a day' is far lower than using a kernel known to be vulnerable until the fix is deployed.", argues Sasha Levin in his proposal.
This kill switch should not be confused with a live patch: it does not replace the fix. It only helps mitigate the vulnerability and the associated risks while waiting for the patch to be applied. Ultimately, a Linux kernel update will still be essential to correct the flaw.
What do you think?
