top of page

Local Privilege Escalation via Linux Kernel AF_ALG Page Cache Corruption (CVE-2026-31431)

May 08th, 2026

High

Our Cyber Threat Intelligence Unit is monitoring CVE-2026-31431 ("Copy Fail"), a high-severity Linux kernel privilege-escalation vulnerability affecting virtually all major Linux distributions running kernels released between 2017 and when the vendor patches became available. The vulnerability exists within the AF_ALG userspace cryptographic API, specifically the algif_aead module, and stems from a logic issue introduced by an in-place optimization in 2017. It allows any local unprivileged user to corrupt the in-memory page cache of a setuid binary and gain root access within seconds. This vulnerability impacts a broad range of enterprise and cloud environments, including containerized workloads and Kubernetes deployments, increasing exposure across shared infrastructure. CVE-2026-31431 was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, confirming active exploitation. A public proof-of-concept exploit is available. Organizations should treat this as an active threat and immediately prioritize kernel patching or implementing interim mitigation.

Technical Details

  • CVE ID: CVE-2026-31431

  • Severity: High

    • CVSS Score:7.8 (kernel.org CNA score; NVD independent assessment pending at time of publication)

  • Vulnerability Type: Local Privilege Escalation (Linux kernel logic vulnerability in AF_ALG algif_aead subsystem)

  • Attack Vector: Local (requires unprivileged local code execution; no remote vector in isolation)

  • Affected Versions:

    • Linux Kernel (Upstream):4.14 through 6.18.21; fixed in 6.18.22 or later

    • Linux Kernel (Upstream):6.19.0 through 6.19.11; fixed in 6.19.12 or later

    • Linux Kernel (7.0 pre-release):7.0-rc1 through pre-7.0 final builds; fixed in 7.0 final release

    • Older LTS backport streams including 6.12.x, 6.6.x, 5.15.x, and 5.10.x are also affected and require vendor-specific backport patches

Note:Intermediate versions 6.18.19–6.18.21 and 6.19.10–6.19.11 contained incomplete mitigations corrected in later releases and should not be treated as fully patched.

  • Distribution Patch Status (as of advisory publication):

    • Ubuntu 22.04 / 24.04:A kmod update (USN-8226-1/2) disabling the algif_aead module has been released as an interim measure.

      • Full kernel patches were still pending as of publication.

      • Organizations should apply the kmod update immediately and monitor vendor channels for kernel patch availability.

    • Debian 12 (Bookworm / Stable): No confirmed backport released as of advisory publication.

    • Debian Testing / Unstable / Forky: Fix available in latest builds; organizations should verify running kernel version against vendor advisories.

    • RHEL 8 / 9: Patching is in progress. Red Hat's official RHSA had not been released as of the advisory publication.

      • AlmaLinux, an RHEL downstream, published patches on May 1, 2026.

      • Organizations should monitor Red Hat's security advisory channels.

    • RHEL 10.1: Confirmed exploited version per working public exploit verification by Sysdig and Microsoft.

    • Fedora: Patching in progress. Newer kernel builds likely include the fix; organizations should verify via vendor advisory.

    • SUSE SLES 15 SP6: Patching in progress. Update availability varies by service pack level.

    • Amazon Linux 2023:Kernel updates rolling out. Confirmed exploited version per Sysdig.

    • CloudLinux 7h / 8 / 9 / 10:Beta patches were available as of May 1, 2026, with stable channel rollout in progress through CloudLinux's own kernel release pipeline.

      • Notethat the standard modprobe-based workaround does not function on CloudLinux or other RHEL-family distributions; see our recommendations for the correct interim mitigation.

    • Arch Linux: Tracks upstream kernel releases closely via rolling release.

      • Organizations should verify the running kernel version is 6.18.22, 6.19.12, or 7.0 or later to confirm patch status.

  • Attack Chain:

    • Attacker obtains local unprivileged code execution via SSH access, a compromised container, or a CI/CD pipeline context

    • Vulnerable kernel version with algif_aead available in the AF_ALG subsystem is confirmed

    • Attacker binds an AF_ALG socket to authencesn(hmac(sha256),cbc(aes)) and splice()s the page cache pages of a setuid binary (e.g., /usr/bin/su) into the cryptographic pipeline

    • The authencesn scratch write deposits a 4-byte controlled value into the spliced file's cached pages in memory

    • The attacker repeats the primitive at successive offsets to stage shellcode into the in-memory representation of the setuid binary

    • Executing the binary runs the modified in-memory version and yields a root shell (UID 0)

    • Post-exploitation results in full system compromise; in containerized environments sharing a host kernel, the vulnerability additionally allows container escape to host-level root

  • Exploitation Notes:

    • CVE-2026-31431 has no standalone remote exploitation path, but chains readily with any initial access vector that provides local unprivileged code execution.

    • The exploit is deterministic, requires no race condition, and operates entirely in memory without modifying files on disk, rendering disk-based integrity monitoring ineffective.

    • CVE-2026-31431 was added to the CISA KEV catalog on May 1, 2026, confirming active exploitation in the wild. Federal Civilian Executive Branch agencies are required to remediate by May 15, 2026.

Image by ThisisEngineering

Impact

Successful exploitation of CVE-2026-31431 may result in:

  • Full local privilege escalation to root, leading to complete compromise of affected Linux systems.

  • Unauthorized access to sensitive data, credentials, and running processes.

  • Container escape in cloud and Kubernetes environments due to the page cache being shared across containers and the host kernel.

  • Lateral movement across enterprise infrastructure and multi-tenant systems.

  • Disruption of CI/CD pipelines and cloud workloads affecting service availability.

  • Operational instability in production environments running vulnerable kernel versions.

  • Compromise of system trust boundaries without leaving forensic traces on disk, complicating detection and incident response.

Detection Method

Organizations should consider the following detection and monitoring actions:

  • Monitor Linux audit and system logs for anomalous privilege escalation events, particularly unexpected transitions from unprivileged users to root (UID 0) without corresponding sudo or authentication log entries.

  • Inspect kernel logs (dmesg, kern.log, syslog) for unexpected NET: Registered PF_ALG protocol family messages, particularly those occurring on-demand well after system boot (300 or more seconds), which may indicate AF_ALG module loading triggered by the exploit rather than normal system initialization.

  • Identify unexpected or unauthorized processes interacting with AF_ALG SEQPACKET sockets from unprivileged user contexts; the exploit requires binding an AF_ALG socket to the authencesn AEAD interface, which falls outside standard application behavior except within known disk-encryption toolchains (e.g., cryptsetup, veritysetup).

  • Monitor auth.log for malformed su log entries where the invoking username is absent (e.g., (to root) on pts/1 rather than (to root) alice on pts/1), which may indicate exploitation of a page-cache-modified /usr/bin/su

    • Note that this signal is path-specific and should be treated as one indicator among several rather than a standalone detection.

  • Audit container runtime and orchestration logs (Docker, containerd, Kubernetes node logs) for signs of container escape attempts or host-level privilege escalation originating from workloads.

  • Review endpoint security telemetry (EDR) for abnormal process execution chains where non-privileged processes spawn root-level shells or access host-level resources without authorization, including abnormal parent-child process relationships such as a container process spawning a root shell.

  • Correlate AF_ALG socket activity with privilege escalation events and unexpected UID changes to build higher-confidence detections, as individual signals (e.g., on-demand PF_ALG loading or absent su username) may occur in benign scenarios.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations should implement the following measures:

  • Apply Linux kernel security updates provided by distribution vendors as the primary remediation.

    • Prioritize patching on internet-facing systems, Kubernetes worker nodes, CI/CD runners, shared jump hosts, and hosts running multi-tenant or untrusted workloads.

  • Upgrade to patched kernel versions through official distribution channels:

    • 6.18.22 or later (Upstream)

    • 6.19.12 or later (Upstream)

    • 7.0 final release or later (Upstream)

    • Distribution-specific backports for older LTS kernel streams (6.12.x, 6.6.x, 5.15.x, 5.10.x)

  • Confirm the patched kernel is the active running kernel after rebooting; kernel updates do not take effect until the system has restarted onto the new kernel.

  • Ubuntu organizations should apply the interim kmod update (USN-8226-1/USN-8226-2) immediately if full kernel patches are not yet available, as this disables the vulnerable algif_aead module.

  • RHEL-family organizations (RHEL, CloudLinux, AlmaLinux) should note that the modprobe-based workaround (install algif_aead /bin/false) does not function on these distributions because algif_aead is built directly into the kernel.

    • The correct interim mitigation for these systems is: grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init" followed by a system reboot, which prevents the AEAD AF_ALG interface from registering at boot.

  • Where supported, restrict AF_ALG socket creation via seccomp profiles or container runtime security policies to limit exposure on systems where immediate patching is not possible.

  • Avoid running systems on intermediate or partially patched kernel versions (6.18.19–6.18.21 and 6.19.10–6.19.11), as mitigations in those builds are incomplete.

  • Treat any container-level code execution as a potential host compromise and enforce rapid node recycling where compromise indicators are present.

  • Validate kernel version compliance across all Linux systems, including cloud images and containerized infrastructure, to confirm alignment with patched releases.

  • Monitor distribution security channels (RHSA, Ubuntu Security Notices, Debian Security Advisories) for patch availability updates, particularly for distributions where fixes were still pending as of this advisory's publication.

Conclusion

CVE-2026-31431 is a high-severity Linux kernel privilege escalation vulnerability affecting nearly all major distributions running kernels released since 2017. A publicly available, deterministic exploit has been confirmed across Ubuntu, Amazon Linux, RHEL, and SUSE environments. Active exploitation was confirmed when CISA added it to the KEV catalog on May 1, 2026. This vulnerability requires immediate prioritization for remediation. We urge organizations to apply vendor-released kernel patches as the primary fix, deploy interim mitigations if patches are unavailable, and treat any local code-execution foothold on a vulnerable system as a path to full root compromise.

bottom of page