A critical vulnerability (CVE-2026-31431) has been identified in the Linux kernel’s cryptographic subsystem. The flaw is a logic error in the AF_ALG interface that permits any unprivileged local user to achieve full root access on affected systems.
The vulnerability enables controlled modification of file data in kernel memory (page cache) without altering files on disk.
The issue resides in the algif_aead kernel module and the associated AF_ALG socket implementation. By leveraging standard Linux features (AF_ALG sockets combined with splice() and pipe() system calls), an attacker can perform a controlled 4-byte write into the system’s page cache.
This allows in-memory modification of any readable setuid-root binary (most commonly /usr/bin/su). When the modified binary is executed, the attacker’s payload is run with root privileges.
The complete attack can be executed using a single, compact Python script (approximately 732 bytes). No complex tools or additional privileges are required.
