Summary
CVE-2026-31431 is a Linux kernel local privilege escalation vulnerability in the algif_aead component that may allow low-privileged users to gain root access. This article outlines affected systems, mitigation options, and required remediation actions.
Body
Overview
CVE-2026-31431 is a Linux kernel vulnerability affecting the algif_aead crypto interface. It allows a low-privileged local user to escalate privileges to root, including within containerized environments.
- Type: Local Privilege Escalation (LPE)
- Attack Vector: Local (low privileges required)
- Impact: Root-level system compromise
- Exploit Status: Public technical details and exploit methods available
References
Risk Summary
- Requires only local access
- Can be used post-compromise to gain root
- Affects containers and shared systems
- Public exploit information increases likelihood of abuse
Affected Systems
Affected Distributions
This vulnerability impacts most major Linux distributions, depending on kernel version and configuration:
- Debian / Ubuntu
- RHEL / CentOS / Rocky / AlmaLinux
- Oracle Linux
- SUSE / SLES
- Other distributions using affected upstream kernels
Impact is determined by kernel version and configuration, not distribution name alone.
Known Affected Kernel Versions
This table is based on currently available upstream and community research and should be updated as vendor advisories evolve.
| Kernel Range |
Status |
~4.x – 6.x (post-2017 kernels with algif_aead) |
Potentially vulnerable |
Kernels with CONFIG_CRYPTO_USER_API_AEAD=y/m and without fix |
Vulnerable |
| Vendor-patched kernels (varies by distro) |
Not vulnerable |
Notes
- The vulnerable code path exists in kernels where
algif_aead is present
- Many modern distributions include this functionality by default
- Vendor backports may fix the issue without obvious version changes
Always verify against vendor advisories rather than relying solely on version numbers.
Exposure Validation
Run:
grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)
Interpretation:
=y → Built into kernel (always present)=m → Loadable module- Not set → Likely not present (rare)
Mitigation / Workarounds
Mitigation's are temporary risk reduction measures and do not replace patching.
Option A – Disable Module (If =m)
blacklist algif_aead
install algif_aead /bin/false
Then:
- Rebuild initramfs (if required)
- Reboot
Option B – Boot Parameter Mitigation (If =y)
initcall_blacklist=algif_aead_init
Example:
grubby --args "initcall_blacklist=algif_aead_init" --update-kernel ALL
Validate in non-production environments before deployment.
Remediation (Required)
Primary Fix
- Apply vendor-provided kernel patches as soon as available
Recommended Approach
- Apply mitigation immediately (if patch unavailable)
- Monitor vendor advisories
- Patch kernel promptly once fixes are released
- Reboot systems after patching
Prioritization Guidance
High Priority
- Multi-user systems
- Systems with SSH/user access
- CI/CD runners
- Container hosts (Kubernetes, Docker)
- Systems running untrusted workloads
Lower Priority
- Single-purpose systems with no local access
Detection & Monitoring
Focus on:
- Unexpected privilege escalation activity
- Processes gaining root from non-root users
- Suspicious activity in containers
- Anomalous kernel interactions
Key Takeaways
- This is a post-compromise escalation vulnerability
- Public exploit information increases risk
- Kernel patching is the only complete remediation
- Mitigations are conditional and temporary