CVE-2026-31431

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.254 Linux kernel versions prior to 5.15.204 Linux kernel versions prior to 6.1.170 Linux kernel versions prior to 6.6.137 Linux kernel versions prior to 6.12.85

Description A logic flaw in the Linux kernel's AEAD crypto implementation, specifically within the algif aead module, allows local unprivileged users to escalate privileges to root. The issue stems from an in-place optimization introduced in 2017 that fails to properly validate requests, leading to a mismanagement of scatter-gather lists. By combining AF ALG sockets and the splice() function, an attacker can overwrite four bytes directly into the page cache (the in-memory copy of files in RAM). This allows the corruption of critical read-only files, such as setuid binaries like /usr/bin/su, without altering the actual file on disk. Because the page cache is shared across the host, this can be used to escape Kubernetes containers and compromise the underlying server or other tenants. The vulnerability is highly reliable as it does not require race conditions or memory leaks.

Recommendations Update the kernel to a build that includes mainline commit a664bf3d603d. As a temporary workaround, disable the algif aead module by executing: echo "install algif aead /bin/false" > /etc/modprobe.d/disable-algif.conf and rmmod algif aead 2>/dev/null || true. For environments running untrusted code, such as containers or sandboxes, block access to the AF ALG crypto interface.