If iwd, or cryptsetup with certain non-default algorithms, isn't being used on the system, you should be fine. Not many programs use AF_ALG. It's possible there are others I'm not aware of, but it's quite rare.
replyTo be clear, general-purpose Linux distros generally can't disable these kconfig options yet, due to these cases. But there are many Linux systems that simply don't need this functionality.
A good project for someone to work on would be to fix iwd and cryptsetup to always use userspace crypto, as they should.
is CONFIG_CRYPTO_USER_API needed for hw acceleration for cryptsetup (dm-crypt) disk encryption ?
replyNo, dm-crypt just calls the kernel's crypto code directly.
replyI can’t comment on the ramifications, except to note that elsewhere in the thread this appears to not break anything (whether it makes userspace crypto a little less safe is academic, but that doesn’t matter if we have an easy local root shell), but I can verify the above fix does protect Ubuntu 24.04 from the exploit.
replyJust reboot after applying this change.
Or
reply zgrep CONFIG_CRYPTO_USER_API /proc/config.gzIs it built as a module in most distros?
replyIt is built as a module in Debian.
replylsmod shows it is not loaded on any of the Trixie or Bookworm machines I have checked, Intel or AMD.