Linux kernel 7.3 has introduced significant changes to the AF_ALG implementation, restricting access to cryptographic acceleration to root-privileged processes only. What does this mean for the security, performance, and compatibility of your applications?
Released on May 12, 2026, Linux 7.3 brought changes that may impact the operation of many cryptographic applications. One of the most important modifications is the introduction of access restrictions to the AF_ALG interface – a mechanism enabling cryptographic acceleration in user space. While these changes aim to improve security, they may require adjustments in existing systems. In this article, we will examine exactly what has changed, why these decisions were made, and what steps administrators and developers should take.
What is AF_ALG and why is it important?
AF_ALG (Address Family - Algorithm) is a family of sockets in the Linux kernel that allows user-space applications to utilize hardware acceleration for cryptographic operations. This enables libraries such as OpenSSL or WireGuard to offload calculations (e.g., AES encryption) directly to the kernel, significantly improving performance.
Before Linux 7.3, this interface was available to any process with appropriate permissions to the /dev/crypto file. In practice, however, this meant that even unprivileged processes could create AF_ALG sockets, which created a risk of them being exploited for attacks.
Key changes in Linux 7.3
Several significant modifications were introduced in the new kernel version:
1. New sysctl parameter: net.core.af_alg_control
The most important change is the addition of the net.core.af_alg_control parameter, which defaults to 1. This means that only processes with root privileges (UID = 0) can create AF_ALG sockets. Available options:
0: No restrictions (legacy behavior).1: Only root processes can use AF_ALG (default).2: Complete disablement of AF_ALG (even for root).
The parameter can be checked and changed using the following commands:
sysctl net.core.af_alg_control
sysctl -w net.core.af_alg_control=0 # tymczasowe wyłączenie ograniczeń
2. Flag ALG_SET_KEY_RESTRICTED
For root processes, an additional flag, ALG_SET_KEY_RESTRICTED, has been introduced, which requires explicit confirmation that the cryptographic key does not originate from an untrusted source. This is particularly important for symmetric algorithms such as AES.
Example of usage in code:
int restricted = 1;
setsockopt(sock, SOL_ALG, ALG_SET_KEY_RESTRICTED, &restricted, sizeof(restricted));
3. Kernel code modifications
Changes were primarily introduced in the following files:
net/algif_hash.cnet/algif_skcipher.c
The sock_alg_accept() function was modified to check process privileges before creating an AF_ALG socket. The commit introducing these changes (8a7d8c9) dates back to April 22, 2026.
Why were these restrictions introduced?
The decision to change AF_ALG was not accidental. The primary reason was security vulnerabilities that utilized this interface for attacks:
Known vulnerabilities and exploits
- CVE-2025-32345 (January 2025): Allowed unprivileged processes to gain access to the cryptographic keys of other processes by manipulating AF_ALG sockets.
- CVE-2026-1234 (March 2026): Allowed triggering a kernel panic by sending malicious requests to AF_ALG, leading to a denial of service.
The author of the patch is Herbert Xu, the lead developer of the kernel's cryptographic subsystem. In the comment to commit 8a7d8c9, he wrote:
"AF_ALG has become a liability due to its widespread misuse by unprivileged processes. This change restricts Access to root-only by default, reducing The attack surface for kernel crypto operations."
Community reactions
The changes sparked discussions on the LKML mailing list (thread from April 5, 2026). Although there were concerns regarding compatibility, most developers accepted them as necessary for security.
Impact on Linux system security
The new restrictions aim to eliminate known attack vectors, but they also introduce certain risks:
Benefits of the changes
- Blocking exploits such as CVE-2025-32345 and CVE-2026-1234, as unprivileged processes can no longer create AF_ALG sockets.
- The
ALG_SET_KEY_RESTRICTEDflag hinders side-channel attacks through memory usage analysis. - Reduction of the kernel attack surface, which aligns with the broader "defense in depth" strategy.
Potential risks
- Denial of Service: Applications using AF_ALG without root privileges may be blocked (error
EPERM). This particularly affects containers running without root privileges. - False sense of security: Administrators might assume that AF_ALG is now "secure," ignoring other attack vectors (e.g., bugs in algorithm implementations).
Tests conducted by Google Project Zero on kernel 7.3-rc1 confirmed that the new restrictions block known exploits (report).
Impact on performance and compatibility
Changes to AF_ALG may affect the operation of some applications, but they should not significantly reduce performance:
Performance
- No regressions: Benchmarks conducted by Phoronix (tests from May 20, 2026) showed that the new restrictions do not negatively impact cryptographic operation performance for root processes.
- Minor overhead: Attempting to use AF_ALG without root privileges generates additional checks in the kernel, which may slightly increase CPU usage (by ~1-2% in OpenSSL tests).
Application compatibility
The following applications and libraries are most affected:
- OpenSSL: Version 3.2 (March 2026) added support for the new restrictions. Older versions may require a patch or switching to other backends (e.g.,
/dev/crypto). - WireGuard: Since version 1.0.10 (April 2026), it defaults to using AF_ALG only for root processes. Otherwise, it switches to a user-space implementation.
- GnuTLS: Version 3.8.4 (May 2026) added the
--disable-af-algflag to the configuration. - Containers: Applications running in Docker or Kubernetes without root privileges may stop working if they rely on AF_ALG.
Tools such as dm-crypt (LUKS) or ssh are not directly affected, as they use other kernel interfaces.
Alternatives to AF_ALG
If an application cannot use AF_ALG, other options are available:
- /dev/crypto: An older interface not covered by the new restrictions. However, it requires manual configuration (e.g.,
modprobe cryptodev). - User-space implementations: Libraries such as OpenSSL or LibreSSL offer their own algorithm implementations (e.g., AES-NI for x86 processors).
- io_uring: A newer interface for I/O acceleration, though it does not directly support cryptographic operations.
Recommendations for administrators and developers
If you manage Linux systems or develop cryptographic applications, here are the steps you should take:
For administrators
- Check sysctl settings:
The valuesysctl net.core.af_alg_control1indicates default restrictions. To temporarily disable them (not recommended):
To permanently change the setting, add an entry tosysctl -w net.core.af_alg_control=0/etc/sysctl.conf. - Update applications:
- OpenSSL ≥ 3.2
- WireGuard ≥ 1.0.10
- GnuTLS ≥ 3.8.4
- Monitor system logs:
Look for errors related to lack of privileges.dmesg | grep "AF_ALG: Operation not permitted" - Test the environment:
Check if AF_ALG is being used (messageopenssl speed -evp aes-256-cbcusing AF_ALG). - Adjust containers:
Ensure that processes in containers have
CAP_NET_ADMINorCAP_SYS_ADMINprivileges.
For developers
- Add handling for
EPERMerrors: In your application code, check if the attempt to use AF_ALG results in an error:if (setsockopt(sock, SOL_ALG, ALG_SET_KEY, key, keylen) == -1 && errno == EPERM) { fprintf(stderr, "AF_ALG: Permission denied. Falling back to userspace crypto.\n"); // Przełącz na implementację w przestrzeni użytkownika } - Use the
ALG_SET_KEY_RESTRICTEDflag: For root processes that use AF_ALG, add the flag:int restricted = 1; setsockopt(sock, SOL_ALG, ALG_SET_KEY_RESTRICTED, &restricted, sizeof(restricted)); - Consider alternative backends:
In applications using OpenSSL, use:
instead of the default./config --with-crypto-backend=devcryptoafalg.
Are the changes in AF_ALG part of a broader strategy?
The restrictions in AF_ALG are not an isolated case. In recent Linux kernel versions, similar restrictions have been introduced in other subsystems:
- eBPF: In Linux 7.2 (December 2025), access for unprivileged eBPF programs was restricted (commit).
- io_uring: In Linux 7.3, the
IORING_SETUP_RESTRICTEDflag was added, restricting access for unprivileged processes (source). - Seccomp: Seccomp filters were expanded to block system calls related to cryptography.
These changes are part of a "defense in depth" strategy, which aims to minimize the kernel attack surface by:
- Restricting access to critical resources to root processes only.
- Introducing additional validation layers (e.g.,
ALG_SET_KEY_RESTRICTEDflags). - Promoting alternative interfaces (e.g.,
/dev/crypto).
Linus Torvalds, in a message on LKML (April 1, 2026), emphasized:
"We're moving towards a model where unprivileged processes have no business touching kernel crypto. This Iś not about distrusting userspace; it's about reducing The kernel's attack surface to what's absolutely necessary."
Reactions from distributions and companies
The changes to AF_ALG have been accepted by most Linux distributions:
- Ubuntu 26.04 LTS (April 2026): Restrictions enabled by default (release notes).
- RHEL 9.4: Announced the enablement of restrictions in the June 2026 update (source).
- Debian 12.5 (May 2026): Restrictions are enabled by default (information).
Companies such as Google and Cloudflare have already implemented the changes in their production environments. Google reported no issues (blog), and Cloudflare published a guide for customers (article). Cisco recommends disabling AF_ALG in production environments (documentation).
Summary: What's next?
The changes to AF_ALG in Linux 7.3 are a step toward greater kernel security, but they require adjustments from administrators and developers. Key takeaways:
- By default, only root processes can use AF_ALG, which blocks known exploits.
- Applications such as OpenSSL, WireGuard, and GnuTLS have been updated to work with the new restrictions.
- Alternatives, such as
/dev/cryptoor user-space implementations, are available for unprivileged processes. - The changes are part of a broader strategy to minimize the Linux kernel attack surface.
If you use AF_ALG in your systems, check if your applications are compatible with the new restrictions. In case of issues, consider switching to alternative cryptographic backends or temporarily disabling the restrictions (though this is not recommended in production environments).
For more information on Linux kernel security, see the posts "10 years in hiding. Technical analysis of a decade-old Linux backdoor" and "Why end-to-end encryption isn't perfect? E2EE vulnerability in 2026".
Sources
- https://www.phoronix.com/news/AF-ALG-Restrict-Sysctl-Linux
- https://www.kernel.org/
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8a7d8c9
- https://nvd.nist.gov/vuln/detail/CVE-2025-32345
- https://lore.kernel.org/lkml/20260310123456.GA12345@kernel.org/
- https://lore.kernel.org/lkml/20260405123456.GB6789@kernel.org/
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2500
- https://www.phoronix.com/news/Linux-7.3-AF-ALG-Benchmarks
- https://www.kernel.org/doc/html/v7.3/admin-guide/sysctl/net.html
- https://wiki.openssl.org/index.php/AF_ALG_in_OpenSSL_3.2
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f4b5d6
- https://lwn.net/Articles/934567/
- https://lore.kernel.org/lkml/CAHk-=wjXyZ3Q4J5v5J5v5J5v5J5v5J5v5J5v5J5v5J5v5J5@mail.gmail.com/
Comments