CVE-2026-31431

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.254 Linux kernel versions prior to 5.15.204 Linux kernel versions prior to 6.1.170 Linux kernel versions prior to 6.6.137 Linux kernel versions prior to 6.12.85

Description A logic flaw in the Linux kernel's AEAD crypto implementation, specifically within the algif aead module, allows an unprivileged local user to escalate privileges to root. The issue stems from an in-place optimization during the processing of scatter-gather lists that fails to properly validate requests. By combining AF ALG sockets and the splice() function, an attacker can perform a deterministic four-byte write directly into the kernel's page cache. This allows the corruption of the in-memory copy of any readable file, such as setuid binaries (e.g., /usr/bin/su), without altering the file on disk. This technique can be used to bypass authentication or execute arbitrary code with root privileges. In Kubernetes environments, this can lead to container escape; if a privileged DaemonSet (like kube-proxy) shares image layers with an unprivileged container, the attacker can corrupt a binary used by the privileged container to achieve node-level code execution.

Recommendations Update the Linux kernel to versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, or 6.12.85, or any newer version containing the fix. As a temporary mitigation, restrict the use of the splice() function in conjunction with AF ALG sockets to minimize the risk of exploitation.