PT-2026-34274 · Linux+4 · Linux Kernel+4
Jan Schaumann
·
Published
2026-03-23
·
Updated
2026-07-02
·
CVE-2026-31431
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 7.0
Linux kernel versions prior to 6.19.12
Description
A flaw exists in the
algif aead cryptographic algorithm interface of the Linux kernel. The issue stems from an incorrect in-place operation during cryptographic processing where source and destination data mappings differ. A local attacker with low privileges can exploit this by splicing a readable file into an AF ALG socket and requesting an AEAD operation. This triggers a race condition in the Copy-on-Write (CoW) path, allowing the attacker to write 4-byte chunks directly into the kernel's page cache for any file they can read.Because the page cache is shared across the system, this corruption is visible to all processes reading the file, including those in separate Kubernetes containers or privileged DaemonSets (e.g.,
kube-proxy). This allows an attacker to overwrite the in-memory copy of sensitive system binaries (such as /usr/sbin/ipset or /usr/bin/su) without modifying the file on disk, effectively bypassing disk-hash integrity tools. This can lead to full root privilege escalation and container escape on Kubernetes nodes.Recommendations
Update the Linux kernel to version 7.0 or 6.19.12.
As a temporary mitigation, restrict pod scheduling to prevent untrusted workloads from running on nodes that host privileged DaemonSets sharing base image layers.
Exploit
Fix
LPE
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Red Os
Rocky Linux
Ubuntu