FYI it's dynamically loaded on demand, so lsmod will show it after you try run the exploit, or you can explicitly load it with:

  modprobe algif_aead

The following mitigation (from the article) does work for Debian 12 and 13, I've tested this:

  echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
  rmmod algif_aead 2>/dev/null || true

First line blocks it from loading, second line is unloading it if it's already been loaded. You can test with the same "modprobe algif_aead".

The point of noting whether it is loaded on their machine or not, is presumably to indicate that it is not normally loaded (for them), so disabling it to block the exploit should have no impact (for them).

It was loaded on my Ubuntu system so I wonder what used it.

As I understands any program code can use that socket to write to page cache memory and modify any main program. Even php code can be written for that. So it is serious problem if there is other security hole on web server.