About:
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel crypto subsystem, specifically in the algif_aead implementation used by the AF_ALG interface.
The flaw is caused by unsafe handling of in-place operations where source and destination buffers originate from different memory mappings. This condition can be abused by a local attacker to manipulate memory behavior within the kernel.
Successful exploitation may allow an unprivileged user to escalate privileges to root, leading to full system compromise, modification of system state, and potential disabling of security controls.
Public proof-of-concept exploit code is available.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Local Privilege Escalation Vulnerability in Linux Kernel algif_aead
Identifier: CVE-2026-31431
CVSS Score: 7.8 CVSS 3.1
PoC or Exploitation:
Public proof-of-concept exploit code is available.
Update/ Patch:
The Linux kernel project has released a fix for this vulnerability.
Affected versions include: Linux kernel versions introduced in 4.14 with commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7
Fixed versions include: kernel 6.18.22 and later with commit fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
Distribution-specific affected systems include: Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS releases reported as vulnerable
Description:
CVE-2026-31431 is a vulnerability in the Linux kernel crypto subsystem, specifically in the algif_aead implementation used by the AF_ALG cryptographic interface.
The vulnerability was introduced due to unsafe in-place operation handling in the AEAD interface, where source and destination buffers originate from different memory mappings. This design flaw introduces complexity that can be abused by a local attacker.
An attacker can exploit this vulnerability locally to escalate privileges on an affected system. Successful exploitation may allow escalation from an unprivileged user to root, enabling full system compromise, modification of system state, and disabling of security controls.
Mitigation Recommendation:
Immediately apply kernel updates that include the fix introduced in Linux kernel 6.18.22 or vendor backported patches.
Prioritize patching multi-user systems, container hosts, and environments where untrusted users or workloads can execute code.
If patching is not immediately possible, consider disabling or restricting the algif_aead module where operationally feasible.
Monitor systems for suspicious privilege escalation behavior, unexpected root-level processes, or anomalous kernel activity.
Review distribution-specific advisories from vendors such as Ubuntu, Red Hat, and SUSE to confirm exact affected and fixed package versions.