Ansible at Homelab Scale - How Two Critical Debian CVEs Became a Non-Event
Ansible at Homelab Scale
Two CVEs in Two Weeks
On 29 April 2026, CERT-EU published advisory 2026-005 about a local
privilege escalation in the Linux kernel's algif_aead module, tracked
as CVE-2026-31431 and named Copy Fail. CVSS 7.8. Public proof-of-concept
released. No vendor patches available. The recommended interim mitigation
was to disable the kernel module on every affected system until a fix
shipped.
Two weeks later DSA-6204-1 covered CVE-2026-3497, a critical OpenSSH
GSSAPIKeyExchange flaw enabling remote denial of service and code
execution. Bookworm fix 1:9.2p1-2+deb12u9. Trixie fix
1:10.0p1-7+deb13u2.
Neither incident disrupted my work. The total operator time across
both was perhaps forty minutes, almost all of it spent reading the
advisories carefully before acting.
The Fleet
Roughly twenty-two Debian-derived endpoints. Five ThinkPad laptops on
Trixie. Three Raspberry Pis running DNS, a chat bridge, and an ARM
build host. Three rented root servers behind Caddy and Docker. Ten
Proxmox virtual machines hosting the usual self-hosted stack. Plus
the hypervisor itself. Network devices outside this count include two
Cisco Catalyst 2960S switches, an ISR 1921, the MikroTik core router,
and the FortiGate edge firewall.
Manual patching at this scale costs roughly fifteen minutes per device
done carefully. Twenty-two times fifteen is five and a half hours.
During an active incident with a public exploit, that window is the
risk.
The Architecture
The inventory groups by operating system and role. Every Debian host
sits under debian_hosts regardless of whether it is a laptop, a Pi,
or a VM. Roles compose into thin playbooks. Collections required
include community.general for the modprobe module, community.proxmox
for dynamic VM discovery, and cisco.ios for the network device side.
A GitHub Actions pipeline runs ansible-lint and syntax checks on
every push. It does not execute playbooks against real hosts, but it
catches the typos, undefined variables, and YAML errors that would
otherwise reach production.
The Copy Fail Response
The CERT-EU mitigation was two shell commands. The Ansible equivalent
wraps them in a role and targets debian_hosts.
1- name: Disable algif_aead per CERT-EU advisory 2026-005
2 ansible.builtin.copy:
3 dest: /etc/modprobe.d/disable-algif.conf
4 content: "install algif_aead /bin/false\n"
5 mode: '0644'
6
7- name: Unload algif_aead if currently loaded
8 community.general.modprobe:
9 name: algif_aead
10 state: absent
11 failed_when: false
Ninety seconds of playbook execution. A follow-up verification ran
lsmod | grep algif_aead across the fleet. Every host returned
absent. The mitigation was complete. The kernel fix arrived through
Debian security a few days later and rolled out through the standard
update playbook with serialized reboots.
The OpenSSH Response
Simpler. No pre-patch mitigation phase. Available immediately in the
Debian security archive. The role updated openssh-server, restarted
the daemon through the standard handler pattern, then asserted the
installed version against the security floor with
ansible.builtin.assert. Either every host reported a version at or
above the required level, or the playbook failed loudly on the
offending host. Twelve minutes end to end.
The Honest Limit
Ansible handled the Debian portion cleanly. The network devices need
different tooling. Cisco IOS configuration is positional and stateful
in ways that fight declarative management. RouterOS and FortiOS each
have their own update workflows. These devices represent roughly
thirty percent of the device count but require seventy percent of the
security attention. The right architecture acknowledges this and uses
different tools for different layers.
Closing
The two weeks were a non-event because the work to make them a
non-event was done over the previous two years. The lack of a heroic
story is itself the story. Three hosts in an inventory, one role for
the common baseline, one playbook that applies it. The pattern
scales. The discipline transfers. The next CVE that drops will find
you better prepared than the one before.