Technical description
A deterministic logic flaw in the Linux kernel's cryptographic subsystem (algif_aead module) allows unprivileged local attackers to achieve root privilege escalation by corrupting the shared kernel page cache. The vulnerability affects Kubernetes clusters and container platforms, where the shared page cache enables a compromised container to modify in-memory copies of privileged executables on the host without triggering file-integrity checks, as the physical files remain unchanged. CISA added CVE-2026-31431 to the KEV catalog on May 1, 2026, with a May 15 remediation deadline.
Attack vector
Local privilege escalation via a 732-byte Python script exploiting a TOCTOU flaw during cryptographic operations. The exploit writes four controlled bytes past the legitimate buffer region directly into the system file page cache, allowing modification of trusted executables (sudo, su) in memory while leaving disk files intact. Works deterministically across major distributions without modification.
Affected systems
Linux kernels 4.14 through 6.19.12 (2017-2026). Multi-tenant Linux hosts, Kubernetes clusters, container platforms, CI/CD runners, and cloud SaaS environments running user-supplied code are at highest risk. Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 confirmed vulnerable.
Mitigation
Apply vendor-issued kernel updates immediately. Interim workaround: blacklist the algif_aead kernel module via 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf' and run 'rmmod algif_aead'. Microsoft noted exploitation remains limited to proof-of-concept testing as of May 1, 2026.