Solutions
The table below lists all affected product series. Users should apply the interim mitigation immediately and monitor this advisory for patch availability updates.
| Product Series |
Affected Versions |
Solutions
|
|
UC Series
- UC-1200A Series
- UC-2200A Series
- UC-3400A Series
- UC-4400A Series
- UC-8600A Series
- UC-8200 Series
|
Moxa Industrial Linux (MIL)
-
MIL3 v1.4 and earlier, and MIL4 v1.0
-
MIL3 v1.4 and earlier, and MIL4 v1.0
-
MIL3 v1.2 and earlier, and MIL4 v1.0
-
MIL3 v1.3 and earlier, and MIL4 v1.0
-
MIL4 v1.0
-
MIL3 v1.5 and earlier
|
Immediate Action (Available Now)
- Apply interim mitigations (see Mitigations section)
Planned Permanent Fix
|
|
V Series
- V1200 Series
- V3200 Series
- V3400 Series
|
Moxa Industrial Linux (MIL)
- MIL3 v1.2.0 and earlier
- MIL3 v1.1 and earlier
- MIL3 v1.1 and earlier
|
|
VM Series
|
Moxa Industrial Linux (MIL)
|
|
IoThinx Series
|
Moxa Industrial Linux (MIL)
|
|
AIG Series
-
AIG-302 Series
-
AIG-502 Series
|
Firmware
- v1.4.0 and earlier
- v1.0.0
|
|
BXP Series
- BXP-A100 Series
- BXP-A101 Series
- BXP-C100 Series
|
Debian ordered via CTOS
- Debian 11 V1.0
- Debian 12 V1.0
|
Immediate Action (Available Now)
- If you are using CTOS, we recommend that you verify the current kernel version and arrange to apply the latest security updates as soon as possible. Please refer to the Solutions for CTOS section below for detailed steps.
- For upstream security information, please refer to Debian Security Advisories.
|
|
DRP Series
- DRP-A100 Series
- DRP-C100 Series
|
Debian ordered via CTOS
|
|
RKP Series
- RKP-A110 Series
- RKP-C110 Series
- RKP-C220 Series
|
Debian ordered via CTOS
- Debian 11 V1.0
- Debian 12 V1.0
|
Mitigations
Interim Mitigation — Module Blacklisting (Apply Immediately)
Until a kernel security patch is available, users must apply the following mitigation. This procedure disables the vulnerable kernel modules and effectively closes the known attack vectors for CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500 on affected systems.
IMPORTANT: Before applying this mitigation, read the Functional Impact Analysis section below. Disabling IPsec modules (esp4/esp6) will interrupt all VPN tunnels. Do not apply this mitigation blindly on systems that depend on IPsec for network connectivity. Additionally, Step 3 (flushing the page cache) may cause a brief I/O performance degradation as cached data must be reloaded from the disk. It is recommended to execute this step during a scheduled maintenance window on I/O-intensive systems.
Step 1: Mitigate CVE-2026-31431 (algif_aead module)
For AIG-302 and UC-8200 Series:
algif_aead is compiled as a built-in kernel module in this firmware and cannot be removed at runtime via modprobe or blacklisting. The only mitigation is to block its initialization at boot using the initcall_blacklist kernel parameter.
⚠️ These commands modify bootloader environment variables directly. A mistake may render the device unbootable and require manual recovery via serial console. Physical access is required before proceeding.
$ sudo fw_setenv bootargs 'console=ttymxc0,115200n8 root=/dev/mmcblk2p2 rootfstype=ext4 rw rootwait fsck.mode=force fsck.repair=yes noinitrd console=ttymxc0,115200 pci=nomsi initcall_blacklist=algif_aead_init'
$ sudo fw_setenv bootcmd 'mmc rescan;load mmc 2:1 ${loadaddr} working/imx7d-moxa.itb;bootm ${loadaddr}'
$ sudo fw_setenv boot_process 2
⚠️ Before rebooting, verify the changes
$ sudo fw_printenv bootargs
$ sudo fw_printenv bootcmd
$ sudo fw_printenv boot_process
Confirm the output matches the values set above, then reboot the device for the changes to take effect.
Once the firmware update with the official fix is applied, revert the boot configuration:
$ sudo fw_setenv boot_process 0
$ sudo fw_setenv bootargs
$ sudo fw_setenv bootcmd
For All Other Products:
Create blacklist configuration, unload module, and verify:
$ echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-algif.conf
$ sudo rmmod algif_aead 2>/dev/null || true
$ lsmod | grep algif_aead
No output indicates module is not loaded.
Step 2: Mitigate CVE-2026-43284 (esp4/esp6 modules - IPsec)
Determining If IPsec Is in Use
Check if your system has the esp4/esp6 modules loaded:
$ lsmod | grep -E 'esp4|esp6'
If no output is returned, IPsec is not running and you can safely use the blocklist method. If the modules appear in the output, verify whether IPsec is configured by checking:
$ ip xfrm state
$ ip xfrm policy
If either command shows active entries, IPsec is in use. Choose the appropriate method below based on your IPsec requirements.
Blocklist Method
Warning: This method disables IPsec. Only use if your system does not require IPsec connectivity.
$ echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-ipsec.conf
$ echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/moxa-cve-2026-ipsec.conf
$ sudo rmmod esp4 esp6 2>/dev/null; true
User Namespace Restriction Method
This approach maintains IPsec functionality by restricting unprivileged user namespaces instead of disabling the esp4/esp6 modules.
Warning: Rootless containers, browser sandboxing features, and Flatpak will be affected. Root containers and regular applications continue to function normally.
$ echo "user.max_user_namespaces=0" | sudo tee /etc/sysctl.d/moxa-dirtyfrag.conf
$ sudo sysctl --system
Step 3: Mitigate CVE-2026-43500 (rxrpc module)
The rxrpc module provides RxRPC protocol support for AFS (Andrew File System). Most industrial deployments do not use AFS. Disable the module using:
$ echo "install rxrpc /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-rxrpc.conf
$ sudo rmmod rxrpc 2>/dev/null; true
$ lsmod | grep rxrpc
No output indicates the module is successfully disabled.
Step 4: Verification
Confirm that all targeted modules are no longer loaded:
$ lsmod | grep -E 'algif_aead|esp4|esp6|rxrpc'
No output confirms successful mitigation. If any modules remain loaded, they are in active use by running connections. Schedule a system reboot during your next maintenance window to complete the mitigation.
Step 5: Drop Page Cache (Optional)
⚠️ Note: This causes a temporary increase in disk I/O as the cache repopulates. On file servers or database servers, expect a brief period of reduced read performance.
$ sync
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
❗Functional Impact Analysis — Read Before Applying
-
algif_aead: Minimal impact. Affects only custom applications using the Linux userspace crypto socket API. Standard industrial applications are not affected.
-
esp4 / esp6 (IPsec):
- Blocklist Method: High impact. Disabling these modules will immediately terminate all IPsec/VPN tunnels and prevent them from restarting. Do not use this method on devices where IPsec is required for network communications or OT/IT segregation.
- User Namespace Restriction Method: Preserves IPsec functionality but affects rootless containers (Docker/Podman), sandboxed browsers, and Flatpak applications. Privileged containers and standard applications are not affected.
-
rxrpc: Minimal expected impact. RxRPC is a specialized Linux networking protocol and is not used by standard Moxa industrial applications or typical default deployments. Disabling the rxrpc module is not expected to affect normal device operation. Customers running customized applications, third-party packages, or non-standard integrations should confirm that RxRPC is not required in their environment before applying this mitigation.
Solutions for CTOS
Update the Linux kernel to the patched version and reinstall the x86 SDK to ensure the updated kernel module is applied.
Step 1 – Add the Debian security repository
Debian 11 (Bullseye):
echo "deb http://security.debian.org/debian-security bullseye-security main contrib non-free" | sudo tee -a /etc/apt/sources.list
Debian 12 (Bookworm):
echo "deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware" | sudo tee -a /etc/apt/sources.list
Step 2 – Update the package index and upgrade the kernel
apt-get update
apt-get install --only-upgrade linux-image-amd64 -y
Step 3 – Reinstall the x86 SDK
Download the x86 SDK from the Resources tab on the product page on the Moxa website. Then, reinstall it to rebuild the kernel modules against the updated kernel.
unzip <downloaded_sdk>.zip
cd Moxa_x86_Linux_SDK_<ver>_Build_<build_date>
./install.sh -y
Step 4 – Reboot the system
General Security Recommendations
To safeguard devices and networks, we recommend implementing the following recommendations to mitigate potential risks:
- Restrict Network Access
- Use firewalls or access control lists (ACLs) to limit communication to trusted IP addresses and networks.
- Segregate operational networks from other networks (e.g., enterprise networks) using VLANs or physical separation.
- Minimize Exposure
- Avoid exposing devices directly to the Internet.
- Disable unused network services and ports to reduce the attack surface.
- Enhance Device Authentication and Access Control
- Implement multi-factor authentication (MFA) for accessing critical systems.
- Use role-based access control (RBAC) to enforce the principle of least privilege.
- Regularly Update Firmware and Software
- Keep devices updated with the latest firmware versions and security patches.
- Establish a regular patch management schedule to address newly identified vulnerabilities.
- Secure Remote Access
- Use encrypted communication protocols (e.g., VPN, SSH) for remote access.
- Restrict remote access to authorized personnel only and enforce strong authentication mechanisms.
- Implement Anomaly Detection Techniques
- Monitor network traffic and device behavior for unusual or unauthorized activities.
- Use tools or techniques that can identify anomalies and provide alerts for potential threats.
- Implement Logging and Monitoring
- Enable event logging and maintain audit trails on devices.
- Regularly review logs for anomalies and unauthorized access attempts.
- Conduct Regular Security Assessments
- Perform vulnerability assessments to identify potential risks.
- Regularly review device configurations to ensure compliance with security policies.
Products Confirmed Not Affected
Only products listed in the Affected Products and Solutions section of this advisory are confirmed to be affected by these vulnerabilities. The products confirmed not affected are listed below.
-
UC Series: UC-2100 Series, UC-3100 Series, UC-5100 Series, UC-8100 Series, UC-8100A-ME-T Series, UC-8100-ME-T Series, UC-8200 Series (MIL1), UC-8410A Series, UC-8540 Series
-
V Series: V2201 Series, V2403C Series, V2406C Series
-
AIG Series: AIG-101 Series, AIG-301 Series, AIG-501 Series
-
All other Inductrial Computing products such as DA Series, MC Series, and Panel PCs, etc.
Revision History:
| VERSION |
DESCRIPTION |
RELEASE DATE |
| 1.0 |
First release |
May 26, 2026 |