Linux 7.2 Proceeding To Deprecate AF_ALG Due To "Massive Attack Surface", Drops Offloading - Phoronix

Articles & Reviews

News Archive

Forums

Premium Ad-Free<br>Contact

Popular Categories

Close

Articles & Reviews

News Archive

Forums

Premium

Contact

Categories

Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals

Linux 7.2 Proceeding To Deprecate AF_ALG Due To "Massive Attack Surface", Drops Offloading

Written by Michael Larabel in Linux Networking on 1 June 2026 at 06:48 AM EDT. 21 Comments

The Linux kernel's AF_ALG interface for user-space applications to directly access the Linux kernel's built-in cryptographic engine is proceeding with a quick deprecation cycle due to a "massive attack surface" with increased vulnerabilities coming to light due to AI/LLM-based tooling.

With the upcoming Linux 7.2 kernel, AF_ALG is being deprecated in full. Eric Biggers explains in a patch queued to the kernel's cryptographic subsystem "cryptodev" tree:<br>"AF_ALG is almost completely unnecessary, and it exposes a massive attack surface that hasn't been standing up to modern vulnerability discovery tools. The latest one even has its own website, providing a small Python script that reliably roots most Linux distros: https://copy.fail/

This isn't sustainable, especially as LLMs have accelerated the rate the vulnerabilities are coming in. The effort that is being put into this thing is vastly disproportional to the few programs that actually use it, and those programs would be better served by userspace code anyway.

These issues have been noted in many mailing list discussions already. But until now they haven't been reflected in the documentation or kconfig menu itself, and the vulnerabilities are still coming in.

Let's go ahead and document the deprecation."

In addition to the deprecation, for Linux 7.2 AF_ALG will already be seeing its zero-copy support removed due to the associated security concerns.

Additionally, as of this past week, this patch is moving ahead and dropping off-CPU cryptography support from AF_ALG. Making use of hardware-accelerated offloading with crypto accelerators for AF_ALG has been deemed too dangerous and thus being removed already for Linux 7.2:<br>"AF_ALG is deprecated and exposed to unprivileged userspace. Only use the least buggy algorithm implementations: the pure software ones.

This removes one of the main advantages of AF_ALG, which is the ability to use it with off-CPU accelerators. However, using off-CPU accelerators has huge overheads, both in performance and attack surface. I have yet to see real-world, performance-critical workloads where using an accelerator via AF_ALG is actually a win over doing cryptography in userspace.

If using an off-CPU accelerator really does turn out to be a win, a new API should be developed that is actually a good fit for it."

The Linux 7.2 merge window should be kicking off in mid-June with many changes abound: both many new kernel features and also further dealing with the fallout from growing AI/LLM discoveries.

21 Comments

Tweet

Linux Might Finally Disable The Microsoft RNDIS Protocol Drivers In 2026<br>Linux Networking Still Seeing "Significantly Bigger" Pull Requests Due To AI<br>Linux To Drop ARCnet Support For Old ISA & PCMCIA Hardware<br>Today's Linux Networking Fixes: "Craziness Continues With No End In Sight"<br>Linux 7.2 To Support Realtek RTL8159 10GbE USB Ethernet<br>Farewell ISDN, Ham Radio & Old Network Drivers: Linus Torvalds Merges 138k L.O.C. Removal

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

FreeBSD Foundation Executive Director Tries Daily Driving FreeBSD On Laptop<br>Intel Introducing USB4STREAM Protocol For Linux - Opening Up Some Nifty Uses For USB4<br>California's Age Verification Law May End Up Exempting Most Linux Distributions<br>KernelScript: A Programming Language For Kernel Customization & App Optimizations<br>Linux Developers Looking At Retiring The x32 ABI<br>Google's ANGLE Merges Wayland Support, Unblocking Chromium Embedded Framework On Wayland<br>Boot-Time Wizard Aims To Help Reduce Linux Boot Times<br>GitHub Copilot & Claude Code Helped With Graphics, WiFi Linux Driver Issues This Week

Intel Preparing WiFi 8 "UHR" Support For Their IWLWIFI Linux Driver

Linux 7.2 Proceeding To Deprecate AF_ALG Due To "Massive Attack Surface", Drops Offloading

Phoronix Marking 22 Years Of Linux Hardware Coverage This Week

Some Elements Of Intel APX Not Proving Beneficial On Nova Lake / Diamond Rapids

NBD-VRAM Provides...