fix(ci): workaround CVE-2026-31431 by chilcano · Pull Request #566 · zama-ai/kms

chilcano · 2026-05-04T17:04:05Z

Adds a kernel module blacklist step as the first step in every job as a workaround for CVE-2026-31431.

chilcano · 2026-05-04T17:06:41Z

FYI @dvdplm - This the status once applied the workaround:

zama-ai/kms
  applied: build-and-test.yml
  applied: check-rust-stable-version.yml
  applied: ci_lint.yml
  applied: codeql.yml
  applied: common-docker-big-instance.yml
  applied: common-nitro-enclave.yml
  applied: common-release-workspace-cargo.yml
  applied: common-testing-big-instance.yml
  skip (no ubuntu jobs): common-testing.yml
  applied: common-update-argocd.yml
  applied: dependencies_analysis.yml
  applied: docker-build.yml
  applied: docker-check-build.yml
  applied: docker-scan.yml
  applied: helm-lint.yml
  applied: helm-release.yml
  applied: helm-test.yml
  applied: kind-testing.yml
  applied: main.yml
  applied: npm-release.yml
  applied: performance-testing.yml
  skip (no ubuntu jobs): pr-preview-deploy.yml
  skip (no ubuntu jobs): pr-preview-destroy.yml
  applied: release.yml
  applied: rolling-upgrade-testing.yml
  skip (no ubuntu jobs): rust-lint.yml
  applied: sync-on-push.yml
  applied: test-reporter.yml
  applied: wasm-testing.yml

Workflows: 29 found, 25 updated, 4 skipped.

github-actions · 2026-05-04T17:56:15Z

Consolidated Tests Results 2026-05-19 - 18:35:15

Test Results

7 passed

Details

7 tests
not captured
junit-to-ctrf
build-and-test test-reporter #2249
fix(ci): workaround CVE-2026-31431 #566

test-reporter: Run #2249

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
7	7	0	0	0	0	0	not captured

🎉 All tests passed!

Tests

View All Tests

Test Name	Status	Duration
k8s_test_crs_uniqueness	✅	42.5s
k8s_test_insecure_keygen_encrypt_and_public_decrypt	✅	1m 55s
k8s_test_insecure_keygen_encrypt_multiple_types	✅	2m 7s
k8s_test_keygen_and_crs	✅	1m 58s
k8s_test_keygen_uniqueness	✅	4m 48s
k8s_test_centralized_insecure	✅	54.9s
nightly_full_gen_tests_default_k8s_centralized_sequential_crs	✅	1.6s

_{🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚

🔄 This comment has been updated

dvdplm

lgtm

dvdplm · 2026-05-04T20:47:33Z

The CI failures seem a bit odd though... :/

dd23 · 2026-05-06T13:17:58Z

Apparently github images already have the module disabled, so not sure if we still have to do anything?
See actions/runner-images#13987 (comment)

chilcano · 2026-05-07T13:10:08Z

The Ubuntu runner apparently has the module is disabled.
If the module is already disabled (not loaded, not built-in), neither condition is true, so the if/elif block is simply skipped by falling through.
Up to you guys.
BTW, I've solved the conflicts.

dvdplm · 2026-05-07T15:40:37Z

Up to you guys.

Are you saying it is up to us if we want to merge this or not? I think we should, and the sooner the better!

dd23

Thanks! LGTM

jot2re · 2026-05-20T08:10:37Z

@chilcano can we merge this?

chilcano requested review from a team as code owners May 4, 2026 17:04

cla-bot Bot added the cla-signed The CLA has been signed. label May 4, 2026

dvdplm previously approved these changes May 4, 2026

View reviewed changes

fix(ci): workaround CVE-2026-31431

8f9e76c

chilcano dismissed dvdplm’s stale review via 8f9e76c May 7, 2026 13:07

chilcano force-pushed the fix/cve-2026-31431 branch from 2bfbf10 to 8f9e76c Compare May 7, 2026 13:07

chilcano changed the title ~~Workaround CVE-2026-31431~~ fix(ci): workaround CVE-2026-31431 May 7, 2026

Merge branch 'main' into fix/cve-2026-31431

b7d0a63

Merge branch 'main' into fix/cve-2026-31431

c16345c

dd23 previously approved these changes May 11, 2026

View reviewed changes

Merge branch 'main' into fix/cve-2026-31431

60194f8

dd23 dismissed their stale review via 60194f8 May 19, 2026 10:38

Merge branch 'main' into fix/cve-2026-31431

089f60a

dd23 approved these changes May 19, 2026

View reviewed changes

fegmorte approved these changes May 20, 2026

View reviewed changes

dd23 merged commit 7410b64 into main May 20, 2026
60 checks passed

dd23 deleted the fix/cve-2026-31431 branch May 20, 2026 09:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(ci): workaround CVE-2026-31431#566

fix(ci): workaround CVE-2026-31431#566
dd23 merged 5 commits into
mainfrom
fix/cve-2026-31431

chilcano commented May 4, 2026

Uh oh!

chilcano commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 •

edited

Loading

Uh oh!

dvdplm left a comment

Uh oh!

dvdplm commented May 4, 2026

Uh oh!

dd23 commented May 6, 2026

Uh oh!

chilcano commented May 7, 2026

Uh oh!

dvdplm commented May 7, 2026

Uh oh!

dd23 left a comment

Uh oh!

jot2re commented May 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

chilcano commented May 4, 2026

Uh oh!

chilcano commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Consolidated Tests Results 2026-05-19 - 18:35:15

Test Results

Details

test-reporter: Run #2249

🎉 All tests passed!

Tests

Uh oh!

dvdplm left a comment

Choose a reason for hiding this comment

Uh oh!

dvdplm commented May 4, 2026

Uh oh!

dd23 commented May 6, 2026

Uh oh!

chilcano commented May 7, 2026

Uh oh!

dvdplm commented May 7, 2026

Uh oh!

dd23 left a comment

Choose a reason for hiding this comment

Uh oh!

jot2re commented May 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

github-actions Bot commented May 4, 2026 •

edited

Loading