CVE-2026-31431 is a Linux kernel local privilege escalation vulnerability (CVSS 7.8, High). A low-privilege attacker can use the AF_ALG cryptographic interface with the splice() system call to write four attacker-controlled bytes to any readable file's page cache, tamper with setuid binaries, and gain root privileges. See the CVE-2026-31431 record, the GitHub Security Advisory,.
Scope of impact
CVE-2026-31431 allows a local, unprivileged attacker to write to the page cache, which can lead to local privilege escalation and container escape. The following resources are affected:
Linux nodes in node pools of ACK managed clusters, including node pools, Lingjun node pools, and hybrid cloud node pools.
Resolution
Follow Solution 1: Change the operating system (recommended) to remediate this vulnerability. Before patched images are released, use Solution 2: Interim mitigation (seccomp policy) to reduce risk.
Solution 1: Change the operating system (recommended)
Node pools
New nodes: Create node pools with the patched image versions listed in the following table.
Existing nodes: Use the change the operating system feature to update nodes to the latest patched image.
This fix requires a node reboot. The update process drains the node before rebooting, causing workloads to restart. Assess the impact and perform this update during off-peak hours.
The following table shows the patch status for ACK node pool images.
The information in the following table is current as of 15:00 (UTC+8) on May 8, 2026. See the OS image release notes.
OS type | OS name | Patched version and release status |
Public image | Alibaba Cloud Linux 4 LTS 64-bit Container-Optimized | aliyun_4_x64_20G_container_optimized_alibase_20260430.vhd (Released) |
Alibaba Cloud Linux 4 LTS 64-bit Container-Optimized for ARM | aliyun_4_arm64_20G_container_optimized_alibase_20260430.vhd (Released) | |
Alibaba Cloud Linux 3.2104 LTS 64-bit Container-Optimized | aliyun_3_x64_20G_container_optimized_alibase_20260503.vhd (Released) | |
Alibaba Cloud Linux 3.2104 Container-Optimized for ARM | aliyun_3_arm64_20G_container_optimized_alibase_20260503.vhd (Released) | |
ContainerOS | lifsea_3_x64_5G_alibase_20260507.qcow2 (Released) | |
ContainerOS GPU | lifsea_3_x64_10G_alibase_nvidia_570_20260507.qcow2 (Released) | |
Ubuntu 24.04 | To be released | |
Ubuntu 22.04 ARM | To be released | |
Custom image | You must update your images based on the official guidance from your Linux OS vendor. | |
Marketplace image | The fix depends on updates from Linux image providers. Monitor the ECS images on Alibaba Cloud Marketplace for updates. | |
Hybrid cloud node pools
Assess business risks and upgrade nodes based on your Linux OS vendor's guidance.
Lingjun node pools
This advisory will be updated with impact and resolution details for Lingjun node pools as they become available. Contact the ACK team for questions.
Solution 2: Interim mitigation (seccomp policy)
Solution 1 We recommend that you prioritize Solution 1 to fully remediate this vulnerability. Until patched images are released for your OS, you can apply the following steps as an interim mitigation.
A seccomp policy blocks AF_ALG socket creation, closing the attack vector at the kernel level.
Prerequisites
Before you begin, confirm the following:
Your workloads do not depend on the
AF_ALGkernel module (used for kernel-space cryptographic acceleration, such as IPsec or libkcapi).No other Localhost-type
seccompprofile is configured in thesecurityContext.seccompProfilefield of your workload Pods.
1. Deploy the seccomp DaemonSet
This DaemonSet writes a seccomp policy file to each Linux node in your cluster. After the file is created, apply the policy by referencing it in your workload Pods as described in Step 2.
Save the following YAML manifest as
seccomp-block-AF_ALG.yaml.The DaemonSet writes
seccomp-block-af_alg.jsonto/var/lib/kubelet/seccomp/profiles/on all Linux nodes.Apply the manifest to deploy the DaemonSet.
kubectl apply -f seccomp-block-AF_ALG.yamlAfter deployment, verify that the policy file is written to each node.
# Verify that the DaemonSet is ready on all nodes. kubectl -n kube-system get daemonset ack-cve-2026-31431-mitigate # Check the logs to confirm the policy was written. The output should include "Mitigation complete". kubectl -n kube-system logs -l app=ack-cve-2026-31431-mitigate --tail=3
2. Configure a seccomp profile for an application Pod
The policy file is not applied to Pods automatically. Explicitly reference it in the securityContext of each workload Pod.
Configure the
seccompprofile.In the
securityContextof your workload Pod, setseccompProfiletype toLocalhostand uselocalhostProfileto specify the path relative to the node's seccomp root directory (/var/lib/kubelet/seccomp).securityContext: seccompProfile: type: Localhost localhostProfile: profiles/seccomp-block-af_alg.jsonAfter applying the changes, restart your workload Pods.
Monitor the workload Pods to confirm they run correctly:
If Pods start successfully, the
seccompprofile is active and mitigation is in effect.If Pods fail to start or crash, roll back the changes immediately.