Summarizer

Kernel Module Mitigation

Practical suggestion that vulnerable modules like AF_ALG could be blacklisted before patch release, providing immediate mitigation without revealing exact exploit details.

← Back to AI is breaking two vulnerability cultures

3 comments tagged with this topic

View on HN · Topics
"Taking an availability hit" is also an "in the limit" case that mostly serves to illustrate the falsity of "disclose or patch" as a binary. Much more commonly: a fully disclosed vulnerability arms systems teams with enough information to mitigate; pull kernel modules, change permissions, that sort of thing.
View on HN · Topics
Many vulnerabities seem to be in code paths for rarely used features. They can often be disabled.
View on HN · Topics
Since the exploit can be mitigated by simply blacklisting the AF_ALG module, why didn’t they release an advisory to disable the problematic module (which AFAIU is hardly used), and then only later, say after a week, release the patch for it? At least then you would have the immediate ability for a mitigation without giving away exactly how to exploit the bug.