Update on May 8, 2026

Dear Alibaba Cloud User,

Alibaba Cloud Security has detected that a local privilege escalation vulnerability in the Linux Kernel has been disclosed on the internet. The vulnerability is identified as CVE-2026-31431.

This vulnerability may allow a local low-privileged attacker to exploit the AF_ALG cryptographic interface together with the splice() system call to write controlled 4-byte data into the page cache of any readable file. An attacker may then tamper with setuid binaries to obtain root privileges. Official sources have also indicated that container scenarios may be affected, and we recommend paying close attention to such environments. To avoid potential impact on your business, we recommend that you conduct a security self-check as soon as possible and apply updates promptly if your systems are within the affected scope.

Vulnerability Details

Linux Kernel is one of the most widely used open-source operating system kernels in the world. It is the core component of Linux systems and is responsible for low-level tasks such as hardware resource management, process scheduling, memory management, file systems, and networking.

According to the disclosure, the vulnerability exists in the combined implementation of the Linux Kernel authencesn cryptographic template and the algif_aead module. In 2017, an in-place operation optimization was introduced into the AEAD decryption path of AF_ALG sockets through commit 72548b093ee3. This optimization directly linked target file page-cache pages passed by splice() into a writable output scatterlist.

When implementing IPsec Extended Sequence Number (ESN) support, the authencesn algorithm writes 4 bytes of data to the receive buffer at the offset assoclen + cryptlen as temporary storage in order to rearrange sequence-number bytes in the authentication data. When AF_ALG triggers the decryption operation through recvmsg(), this write crosses the receive-buffer boundary and directly overwrites the page-cache page linked behind it.

As a result, an attacker can perform a controlled 4-byte modification to the page cache of any opened readable file. A local low-privileged attacker may ultimately obtain root privileges by tampering with the page-cache contents of any readable file on the system, such as setuid programs like /usr/bin/su, without requiring race conditions or retries. The write does not trigger dirty-page writeback to disk and may lead to persistent privilege escalation and other risks.

The vulnerability details and PoC are currently publicly available.

Risk Level

High

Vulnerability Impact

A local attacker can exploit this vulnerability to tamper with the page-cache contents of any readable file on the system, such as setuid programs like /usr/bin/su, and directly obtain root privileges. The write does not trigger dirty-page writeback to disk and may lead to persistent privilege escalation and other risks.

Currently Known Affected Operating Systems and Versions

Ubuntu 25.10

Ubuntu 24.04 LTS

Ubuntu 22.04 LTS

Ubuntu 20.04 LTS

Ubuntu 18.04 LTS

Amazon Linux 2023

Red Hat Enterprise Linux 10

Red Hat Enterprise Linux 9

Red Hat Enterprise Linux 8

SUSE 16

Alinux 4

Alinux 2.1903

Alinux 3.2104

Alinux 3 Pro

Alinux 4 Agentic OS

Fixed version

commit >= a664bf3d603d

Detection Methods

1.Check the kernel version: uname -r

2.Check whether the relevant kernel configuration is enabled(recommended): grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)

Note: The following three cases may appear:

CONFIG_CRYPTO_USER_API_AEAD=n Completely disabled and not affected.

CONFIG_CRYPTO_USER_API_AEAD=y Statically compiled into the kernel. It cannot be detected by lsmod, but the vulnerability exists and can be exploited, for example on CentOS 8.5.

CONFIG_CRYPTO_USER_API_AEAD=m Built as a module. It can be detected by lsmod, and there is risk once it is loaded.

3.Check whether the affected module has been loaded: lsmod | grep algif

4.Check whether an AF_ALG socket can be created: python3 -c "import socket; socket.socket(38,5,0); print('VULNERABLE')"

Remediation Recommendations

1.Official patches and fixed versions have been released. After evaluating whether your business is affected, upgrade to a secure version: https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

2.For users of Ubuntu, Debian, RHEL/CentOS, SUSE, and similar distributions, official security updates have not yet been released. Please pay close attention to the official security advisories:

Ubuntu: https://ubuntu.com/security/CVE-2026-31431

Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431

RHEL/CentOS: https://access.redhat.com/security/cve/cve-2026-31431

SUSE: https://www.suse.com/security/cve/CVE-2026-31431.html

Mitigation Measures

1.Disable the kernel module.

This method may not be effective on all Linux systems, and executing the command may introduce unknown risks. We recommend testing it first in an environment identical to production and confirming that there is no impact before applying it.

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf

2.Unload the loaded module:

rmmod algif_aead 2>/dev/null

For systems where the module is statically compiled into the kernel, such as CentOS 8.5, this mitigation may not be effective. Updating to the official patched kernel is recommended.

3.In container scenarios, seccomp can be used to block AF_ALG socket creation, family=38, as a mitigation:

{"syscalls": [{"names": ["socket"],"action": "SCMP_ACT_ERRNO","args": [{"index": 0,"value": 38,"op": "SCMP_CMP_EQ"}]}]}

We recommend backing up your data before performing any operations to avoid business disruption or data loss.

Alinux Remediation Guide

1.The Alinux Security Center has released the vulnerability details, affected scope, and remediation recommendations

2.The CVE-2026-31431 kernel upgrade instructions provide detailed remediation steps and operational guidance for Alibaba Cloud Linux systems

References

https://copy.fail/

https://xint.io/blog/copy-fail-linux-distributions

https://github.com/theori-io/copy-fail-CVE-2026-31431/

https://nvd.nist.gov/vuln/detail/CVE-2026-31431

We will continue to track further developments and provide updates as soon as they become available. We recommend that you update your systems promptly according to the guidance to ensure that your systems remain in the best protected state.

If you have any questions, please contact the relevant technical support team. We will make every effort to assist you with the upgrade and hardening process.

Alibaba Cloud Security