Linux · Linux Kernel · CVE-2026-31431
**Name of the Vulnerable Software and Affected Versions**
Linux kernel versions prior to 5.10.254
Linux kernel versions prior to 5.15.204
Linux kernel versions prior to 6.1.170
Linux kernel versions prior to 6.6.137
Linux kernel versions prior to 6.12.85
**Description**
A logic flaw in the Linux kernel's AEAD crypto implementation, specifically within the `algif aead` module, allows an unprivileged local user to escalate privileges to root. The issue stems from an in-place optimization during the processing of scatter-gather lists that fails to properly validate requests. By combining `AF ALG` sockets and the `splice()` function, an attacker can perform a deterministic four-byte write directly into the kernel's page cache. This allows the corruption of the in-memory copy of any readable file, such as setuid binaries (e.g., `/usr/bin/su`), without altering the file on disk. This technique can be used to bypass authentication or execute arbitrary code with root privileges. In Kubernetes environments, this can lead to container escape; if a privileged DaemonSet (like `kube-proxy`) shares image layers with an unprivileged container, the attacker can corrupt a binary used by the privileged container to achieve node-level code execution.
**Recommendations**
Update the Linux kernel to versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, or 6.12.85, or any newer version containing the fix.
As a temporary mitigation, restrict the use of the `splice()` function in conjunction with `AF ALG` sockets to minimize the risk of exploitation.