CVE-2026-31431

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.254 Linux kernel versions prior to 5.15.204 Linux kernel versions prior to 6.1.170 Linux kernel versions prior to 6.6.137 Linux kernel versions prior to 6.12.85 Ubuntu versions prior to 26.04

Description A logic flaw in the algif aead module of the Linux kernel cryptographic subsystem allows an unprivileged local user to escalate privileges to root. The issue stems from an in-place optimization introduced in 2017 that fails to properly verify the destination buffer during cryptographic operations. By combining AF ALG sockets and the splice() system call, an attacker can overwrite four bytes of data directly into the page cache (the kernel's in-memory copy of files). This allows the corruption of trusted setuid binaries, such as /usr/bin/su, in RAM without modifying the actual file on disk, making the attack invisible to standard file-integrity monitors. This flaw also enables container escape, as the page cache is shared across the host, allowing a compromised pod to gain root access to the underlying node.

Recommendations Update the kernel to a version that includes the fix (e.g., versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85 or later). As a temporary workaround, disable the vulnerable module by running: echo "install algif aead /bin/false" > /etc/modprobe.d/disable-algif.conf and then executing rmmod algif aead. Perform a mandatory system reboot after patching or applying the workaround to clear corrupted pages from the memory cache.