CVE-2026-31431 — Linux Kernel LPE via algif_aead Buffer Confusion

Overview

CVE-2026-31431 is a local privilege escalation (LPE) vulnerability in the Linux kernel's crypto subsystem, specifically in the algif_aead interface. It was added to CISA's Known Exploited Vulnerabilities catalog on 2026-05-01 with a remediation deadline of 2026-05-15 — a 14-day window that most organisations missed.

Background: what is algif_aead?

The Linux kernel exposes its cryptographic primitives to userspace through the AF_ALG socket interface. algif_aead is the AEAD (Authenticated Encryption with Associated Data) component — it lets unprivileged processes use kernel-side AES-GCM, ChaCha20-Poly1305, and similar constructs without copying data through /dev.

When you send data to an AEAD socket, the kernel decides between in-place (source == destination buffer) and out-of-place (separate buffers) operation modes. The distinction matters because AEAD algorithms need to handle the authentication tag differently depending on the layout.

The vulnerability

The bug is a revert-to-out-of-place logic error: when source and destination buffers originate from different memory mappings, the kernel still attempts to treat them as an in-place operation. The result is an incorrect resource transfer between memory spheres — a confused deputy that corrupts adjacent kernel memory.

In practical terms: a low-privileged local process can craft a sequence of AF_ALG socket operations with carefully mapped buffers to trigger this path, corrupt kernel heap memory, and escalate to root.

The attack path:

1. →Open an AF_ALG socket of type aead
2. →Set up source and destination buffers in distinct mappings
3. →Trigger the in-place/out-of-place confusion during a sendmsg + recvmsg cycle
4. →Leverage the resulting heap corruption to overwrite a credential structure or hijack a kernel function pointer

No special privileges required — any user with access to AF_ALG sockets can exploit this.

Affected versions

The vulnerability spans a wide range of stable kernel branches:

Downstream distributions confirmed affected: Ubuntu (14.04 through 25.10 LTS), Debian 11/12/13, RHEL 8/9/10, Amazon Linux, SUSE variants.

Exploitation status

Public proof-of-concept code is available. The exploit has been documented on oss-security mailing lists since late April 2026 and PoC repositories appeared on GitHub within days of disclosure.

CISA's 14-day remediation window reflects real in-the-wild activity. Treat this as actively exploited on any internet-facing Linux system where untrusted local users can run code — shared hosting, CI runners, multi-tenant containers without proper namespace isolation.

Remediation

Patch first. Apply the relevant stable-branch kernel patch for your version.

# Check your current kernel
uname -r

# Debian / Ubuntu
apt-get update && apt-get upgrade linux-image-$(uname -r)

# RHEL / Rocky / Alma
dnf update kernel

# Verify after reboot
uname -r

Temporary mitigation if patching is not immediately possible — block AF_ALG socket creation for unprivileged users:

# Raise the minimum privilege level for socket creation
sysctl -w kernel.unprivileged_userns_clone=0

Note: this mitigation may break containerised workloads that rely on user namespaces. Test before applying in production.

Retest guidance: after patching, verify the fix by checking the kernel version against the patched ranges. If you have a previous report covering this finding, request a retest — Pentalpina includes retest of all HIGH and CRITICAL findings within 30 days.

Key takeaway

algif_aead has been present in the kernel since 3.8. The interface is obscure enough that most security teams don't think about it, yet it is available to any unprivileged local user on a default configuration. LPE bugs in crypto interfaces follow a pattern: low visibility, high impact, slow patch adoption. If you run shared Linux infrastructure and have not patched for this, assume any user-level code execution can become root.