CVSS score 7.8 Severity High CVE-2026-31431 Linux kernel
0 views
Skip to first unread message
Michael Paoli
Apr 29, 2026, 5:31:15 PM (3 days ago) Apr 29
to Berkeley Linux Users Group (BerkeleyLUG)
CVSS score 7.8 Severity High CVE-2026-31431 Linux kernel
Highly easy root exploit (at least locally).
kernel.org kernel patched, various states for various distros,
if your distro doesn't have patch/update out yet, expect it soon.
Appears (I've not vetted it) there's also effective work-around to close
the hole in existing
running kernels, apparently, e.g.:
disable the algif_aead kernel module. This breaks nothing for the vast
majority of systems dm-crypt, LUKS, IPsec, TLS, SSH, and standard
OpenSSL/GnuTLS builds all use the in-kernel crypto API directly and do
not go through AF_ALG:
echo 'install algif_aead /bin/false' >/etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For containerized or multi-tenant workloads, block AF_ALG socket
reation via seccomp policy regardless of patch state.
Proof-of-concept exploit already published, likely expect active exploit
attempts soon, if they've not already started.
Looks like the bug has been in Linux kernels for about 9 years.
Select references:
https://www.cve.org/CVERecord?id=CVE-2026-31431
https://www.cyberkendra.com/2026/04/a-732-byte-python-script-can-get-root.html
Highly easy root exploit (at least locally).
kernel.org kernel patched, various states for various distros,
if your distro doesn't have patch/update out yet, expect it soon.
Appears (I've not vetted it) there's also effective work-around to close
the hole in existing
running kernels, apparently, e.g.:
disable the algif_aead kernel module. This breaks nothing for the vast
majority of systems dm-crypt, LUKS, IPsec, TLS, SSH, and standard
OpenSSL/GnuTLS builds all use the in-kernel crypto API directly and do
not go through AF_ALG:
echo 'install algif_aead /bin/false' >/etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For containerized or multi-tenant workloads, block AF_ALG socket
reation via seccomp policy regardless of patch state.
Proof-of-concept exploit already published, likely expect active exploit
attempts soon, if they've not already started.
Looks like the bug has been in Linux kernels for about 9 years.
Select references:
https://www.cve.org/CVERecord?id=CVE-2026-31431
https://www.cyberkendra.com/2026/04/a-732-byte-python-script-can-get-root.html
Reply all
Reply to author
Forward
0 new messages