PT-2026-34274 · Linux+4 · Linux Kernel+4

Jan Schaumann

·

Published

2026-03-23

·

Updated

2026-07-02

·

CVE-2026-31431

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0 Linux kernel versions prior to 6.19.12
Description A flaw exists in the algif aead cryptographic algorithm interface of the Linux kernel. The issue stems from an incorrect in-place operation during cryptographic processing where source and destination data mappings differ. A local attacker with low privileges can exploit this by splicing a readable file into an AF ALG socket and requesting an AEAD operation. This triggers a race condition in the Copy-on-Write (CoW) path, allowing the attacker to write 4-byte chunks directly into the kernel's page cache for any file they can read.
Because the page cache is shared across the system, this corruption is visible to all processes reading the file, including those in separate Kubernetes containers or privileged DaemonSets (e.g., kube-proxy). This allows an attacker to overwrite the in-memory copy of sensitive system binaries (such as /usr/sbin/ipset or /usr/bin/su) without modifying the file on disk, effectively bypassing disk-hash integrity tools. This can lead to full root privilege escalation and container escape on Kubernetes nodes.
Recommendations Update the Linux kernel to version 7.0 or 6.19.12. As a temporary mitigation, restrict pod scheduling to prevent untrusted workloads from running on nodes that host privileged DaemonSets sharing base image layers.

Exploit

Fix

LPE

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:13565
ALSA-2026:13566
ALSA-2026:13577
ALSA-2026:13578
ALSA-2026:19074
ALSA-2026:19225
ALSA-2026:A001
ALSA-2026:A002
ALSA-2026:A003
BDU:2026-06123
CVE-2026-31431
ECHO-41E7-B14A-B4FB
GHSA-M38G-VWW2-MVGX
OESA-2026-2172
OESA-2026-2173
OESA-2026-2174
OESA-2026-2175
OESA-2026-2176
OPENSUSE-SU-2026:10734-1
RHSA-2026:13565
RHSA-2026:13566
RHSA-2026:13577
RHSA-2026:13578
RHSA-2026:13681
RHSA-2026:13734
RHSA-2026:13887
RHSA-2026:13932
RHSA-2026:13936
RHSA-2026:14137
RHSA-2026:14165
RHSA-2026:14230
RHSA-2026:14301
RHSA-2026:14339
RHSA-2026:14926
RHSA-2026:15976
RHSA-2026:15978
RHSA-2026:16018
RHSA-2026:16063
RHSA-2026:16111
RHSA-2026:16208
RHSA-2026:16209
RHSA-2026:16210
USN-8226-1
USN-8226-2
USN-8277-1
USN-8277-2
USN-8278-1
USN-8278-2
USN-8279-1
USN-8279-2
USN-8279-3
USN-8280-1
USN-8280-2
USN-8280-3
USN-8281-1
USN-8281-2
USN-8289-1
USN-8289-2
USN-8305-1
USN-8305-2
USN-8310-1
USN-8350-1
USN-8351-1
USN-8374-1
USN-8391-1
USN-8392-1
USN-8393-1
USN-8426-1
USN-8426-2
USN-8440-1
USN-8441-1
USN-8462-1
USN-8499-1

Affected Products

Linuxmint
Linux Kernel
Red Os
Rocky Linux
Ubuntu