Last week, two critical Linux kernel vulnerabilities were disclosed, prompting significant concern within the community. In response, developers are now reviewing a proposal for an emergency “killswitch” mechanism to reduce exposure following public disclosure of serious vulnerabilities.
Sasha Levin, an NVIDIA engineer and Linux stable kernel co-maintainer, submitted the patch. It allows system administrators to temporarily disable a vulnerable kernel function while awaiting a security update.
The concept is simple: if a dangerous code path is identified, the kernel can be instructed to stop using that function. Instead of executing normally, the function would return an error. While this does not resolve the underlying bug, it can block access to the vulnerable path until a patched kernel is available.
The proposal follows recent Linux kernel vulnerability disclosures, including Copy Fail and Dirty Frag. Copy Fail is particularly relevant, as the patch includes a self-test referencing CVE-2026-31431 to demonstrate how the killswitch could block the affected AF_ALG path.
Dirty Frag is not used as a direct test case, but it is also relevant and illustrates the broader issue: serious kernel bugs may become public before fixes are widely available. During this period, administrators may need a temporary method to reduce risk without waiting for the full update cycle.
Levin’s patch makes the feature available through the kernel’s securityfs interface. A privileged administrator can enable a killswitch for a specific function, causing it to fail immediately. This change takes effect at runtime and remains active until disabled or the system is rebooted.
The proposal targets code paths that most systems do not rely on daily. Levin cites areas such as AF_ALG, ksmbd, nf_tables, vsock, and ax25. In some environments, temporarily disabling these features may be less disruptive than running a kernel with a known vulnerability.
However, the feature carries clear risks. The patch does not include automatic safety checks to determine if a function can be safely disabled. Disabling the wrong function or returning an incorrect value could disrupt system behavior or cause new issues. Therefore, this is not intended as a general-purpose security switch for casual use.
It is also important to make it clear that this mechanism is not live patching. It does not replace vulnerable code with a corrected version, but only blocks a selected function from running. A full kernel update is still required to properly address the vulnerability. It could simply provide an emergency mitigation tool for the period between public disclosure and full patch deployment.
As of now, the killswitch patch is still under review and has not been accepted into the Linux kernel.
