Not having the module loaded doesn't mean you're not vulnerable, the kernel loads the module on-demand when it's needed. I tried the exploit on such a system, and it worked.

However, not having the module loaded does mean that in normal operation you don't need the module, so the proposed mitigation of disabling the module is safe in the sense that it won't disrupt anything.

> I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.

But only Trixie (and testing/Sid) are patched (as I type this).

On Bookworm (and Bullseye), you want to add the module to list of blocked modules. It's a one-line change.