全部產品
Search
文件中心

Container Service for Kubernetes:漏洞CVE-2026-31431公告

更新時間:May 19, 2026

近日,互連網上披露了 Linux Kernel 存在本地許可權提升漏洞 CVE-2026-31431。該漏洞允許本地低許可權攻擊者利用 AF_ALG 加密介面與 splice() 系統調用,向任意可讀檔案的頁緩衝寫入受控的 4 位元組資料,進而篡改 setuid 二進位檔案獲得 root 許可權。該漏洞 CVSS 評分為 7.8(高危)。詳見 CVE-2026-31431GitHub 資訊安全諮詢

影響範圍

CVE-2026-31431 允許本地非特權攻擊者向系統頁緩衝(Page Cache)寫入資料,進而可能導致本地提權與容器逃逸。影響範圍如下:

解決方案

建議優先通過方案一:更換作業系統(推薦)完成修複。在升級鏡像發布前的過渡期,可參見方案二:過渡方案(seccomp 策略)降低風險。

方案一:更換作業系統(推薦)

節點池

  • 新增節點:推薦使用發行的官方修複鏡像版本建立節點池,具體版本號碼見下表。

  • 存量節點:通過更換作業系統的方式更新到最新官方修複版本鏡像。

    該修複需重啟節點。修複過程會在重啟前執行節點排水,導致業務重啟。請評估風險並在業務低峰期完成修複。

ACK 節點池鏡像的修複狀態如下。

重要

以下鏡像統計結果截至2026年05月08日 15:00(北京時間)。詳見作業系統鏡像發布記錄

OS類型

OS名稱

修複的OS版本及發布狀態

公用鏡像

Alibaba Cloud Linux 4 LTS 64位 容器最佳化版

aliyun_4_x64_20G_container_optimized_alibase_20260430.vhd(發行)

Alibaba Cloud Linux 4 LTS 64位 容器最佳化 ARM版

aliyun_4_arm64_20G_container_optimized_alibase_20260430.vhd(發行)

Alibaba Cloud Linux 3.2104 LTS 64位 容器最佳化版

aliyun_3_x64_20G_container_optimized_alibase_20260503.vhd(發行)

Alibaba Cloud Linux 3.2104 容器最佳化版 ARM版

aliyun_3_arm64_20G_container_optimized_alibase_20260503.vhd(發行)

ContainerOS

lifsea_3_x64_5G_alibase_20260507.qcow2(發行)

ContainerOS GPU

lifsea_3_x64_10G_alibase_nvidia_570_20260507.qcow2(發行)

Ubuntu 24.04

未發布

Ubuntu 22.04 ARM

未發布

自訂鏡像

需根據自訂鏡像 Linux 作業系統的官方發布指導進行相應更新。

雲市場鏡像

修複取決於各 Linux 鏡像發行方的更新,請關注 ECS 雲市場相關鏡像的更新發布。

混合雲節點池

需結合業務風險評估,根據各 Linux 作業系統發行方的指導自行進行升級。

靈駿節點池

具體影響範圍和解決方案將在相關內容發布後同步更新至本公告。如遇問題,請聯絡Container Service團隊。

方案二:過渡方案(seccomp 策略)

建議優先選擇方案一完成升級。在相關係統鏡像發布前,如需立即實施防護,可參見以下步驟。

使用 seccomp 策略可直接攔截 AF_ALG 的 Socket 建立行為,從核心入口處切斷攻擊面。

準備工作

實施前請確認:

  • 業務不依賴核心 AF_ALG 模組(該模組主要用於核心態密碼學加速,如 IPsec、libkcapi)。

  • 業務 Pod 的 securityContext.seccompProfile 欄位中尚未使用其他 Localhost 類型的 seccomp 配置。

1、部署 seccomp DaemonSet

該DaemonSet 會在叢集每個 Linux 節點上自動寫入 seccomp 策略檔案,無需逐節點操作。策略檔案就緒後,步驟 2中的業務 Pod 才能引用並生效。

  1. 儲存以下內容為 seccomp-block-AF_ALG.yaml

    DaemonSet 將在所有 Linux 節點的 /var/lib/kubelet/seccomp/profiles/ 目錄下寫入 seccomp-block-af_alg.json 策略檔案。

    展開查看YAML

    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: ack-cve-2026-31431-mitigate
      namespace: kube-system
      labels:
        app: ack-cve-2026-31431-mitigate
    spec:
      selector:
        matchLabels:
          app: ack-cve-2026-31431-mitigate
      template:
        metadata:
          labels:
            app: ack-cve-2026-31431-mitigate
        spec:
          priorityClassName: system-node-critical
          nodeSelector:
            kubernetes.io/os: linux
          tolerations:
            - operator: Exists
          containers:
            - name: mitigate
              image: registry-cn-hangzhou.ack.aliyuncs.com/acs/busybox:1.35
              command:
                - /bin/sh
                - -c
                - |
                  echo "=== CVE-2026-31431 Mitigation ==="
    
                  cat <<EOF > /kubelet-seccomp/seccomp-block-af_alg.json
                  {
                    "defaultAction": "SCMP_ACT_ERRNO",
                    "architectures": [
                      "SCMP_ARCH_X86_64",
                      "SCMP_ARCH_X86",
                      "SCMP_ARCH_X32",
                      "SCMP_ARCH_AARCH64",
                      "SCMP_ARCH_ARM"
                    ],
                    "syscalls": [
                      {
                        "names": ["socket"],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [
                          {
                            "index": 0,
                            "value": 38,
                            "op": "SCMP_CMP_EQ"
                          }
                        ]
                      },
                      {
                        "names": ["socket"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [
                          {
                            "index": 0,
                            "value": 40,
                            "op": "SCMP_CMP_NE"
                          }
                        ]
                      },
                      {
                        "names": [
                          "accept", "accept4", "access", "adjtimex", "alarm", "bind", "brk",
                          "cachestat", "capget", "capset", "chdir", "chmod", "chown", "chown32",
                          "clock_adjtime", "clock_adjtime64", "clock_getres", "clock_getres_time64",
                          "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64",
                          "close", "close_range", "connect", "copy_file_range", "creat",
                          "dup", "dup2", "dup3",
                          "epoll_create", "epoll_create1", "epoll_ctl", "epoll_ctl_old",
                          "epoll_pwait", "epoll_pwait2", "epoll_wait", "epoll_wait_old",
                          "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group",
                          "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fallocate",
                          "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchmodat2",
                          "fchown", "fchown32", "fchownat", "fcntl", "fcntl64", "fdatasync",
                          "fgetxattr", "flistxattr", "flock", "fork", "fremovexattr", "fsetxattr",
                          "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync",
                          "ftruncate", "ftruncate64",
                          "futex", "futex_requeue", "futex_time64", "futex_wait", "futex_waitv", "futex_wake",
                          "futimesat", "getcpu", "getcwd", "getdents", "getdents64",
                          "getegid", "getegid32", "geteuid", "geteuid32",
                          "getgid", "getgid32", "getgroups", "getgroups32", "getitimer",
                          "getpeername", "getpgid", "getpgrp", "getpid", "getppid", "getpriority",
                          "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32",
                          "getrlimit", "get_robust_list", "getrusage", "getsid", "getsockname",
                          "getsockopt", "get_thread_area", "gettid", "gettimeofday",
                          "getuid", "getuid32", "getxattr", "getxattrat",
                          "inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch",
                          "io_cancel", "ioctl", "io_destroy", "io_getevents",
                          "io_pgetevents", "io_pgetevents_time64", "ioprio_get", "ioprio_set",
                          "io_setup", "io_submit", "ipc", "kill",
                          "landlock_add_rule", "landlock_create_ruleset", "landlock_restrict_self",
                          "lchown", "lchown32", "lgetxattr", "link", "linkat", "listen",
                          "listmount", "listxattr", "listxattrat", "llistxattr", "_llseek",
                          "lremovexattr", "lseek", "lsetxattr",
                          "lsm_get_self_attr", "lsm_list_modules", "lsm_set_self_attr",
                          "lstat", "lstat64", "madvise", "membarrier", "memfd_create", "memfd_secret",
                          "mincore", "mkdir", "mkdirat", "mknod", "mknodat",
                          "mlock", "mlock2", "mlockall", "map_shadow_stack",
                          "mmap", "mmap2", "mprotect",
                          "mq_getsetattr", "mq_notify", "mq_open",
                          "mq_timedreceive", "mq_timedreceive_time64",
                          "mq_timedsend", "mq_timedsend_time64", "mq_unlink",
                          "mremap", "mseal", "msgctl", "msgget", "msgrcv", "msgsnd", "msync",
                          "munlock", "munlockall", "munmap",
                          "name_to_handle_at", "nanosleep", "newfstatat", "_newselect",
                          "open", "openat", "openat2", "pause",
                          "pidfd_open", "pidfd_send_signal", "pipe", "pipe2",
                          "pkey_alloc", "pkey_free", "pkey_mprotect",
                          "poll", "ppoll", "ppoll_time64", "prctl",
                          "pread64", "preadv", "preadv2", "prlimit64",
                          "process_mrelease", "pselect6", "pselect6_time64",
                          "pwrite64", "pwritev", "pwritev2",
                          "read", "readahead", "readlink", "readlinkat", "readv",
                          "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg",
                          "remap_file_pages", "removexattr", "removexattrat",
                          "rename", "renameat", "renameat2", "restart_syscall", "rmdir", "rseq",
                          "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo",
                          "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64",
                          "rt_tgsigqueueinfo",
                          "sched_getaffinity", "sched_getattr", "sched_getparam",
                          "sched_get_priority_max", "sched_get_priority_min", "sched_getscheduler",
                          "sched_rr_get_interval", "sched_rr_get_interval_time64",
                          "sched_setaffinity", "sched_setattr", "sched_setparam",
                          "sched_setscheduler", "sched_yield", "seccomp", "select",
                          "semctl", "semget", "semop", "semtimedop", "semtimedop_time64",
                          "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto",
                          "setfsgid", "setfsgid32", "setfsuid", "setfsuid32",
                          "setgid", "setgid32", "setgroups", "setgroups32", "setitimer", "setpgid",
                          "setpriority", "setregid", "setregid32", "setresgid", "setresgid32",
                          "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit",
                          "set_robust_list", "setsid", "setsockopt", "set_thread_area",
                          "set_tid_address", "setuid", "setuid32", "setxattr", "setxattrat",
                          "shmat", "shmctl", "shmdt", "shmget", "shutdown",
                          "sigaltstack", "signalfd", "signalfd4", "sigprocmask", "sigreturn",
                          "socketcall", "socketpair", "splice",
                          "stat", "stat64", "statfs", "statfs64", "statmount", "statx",
                          "symlink", "symlinkat", "sync", "sync_file_range", "syncfs", "sysinfo",
                          "tee", "tgkill", "time",
                          "timer_create", "timer_delete", "timer_getoverrun",
                          "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64",
                          "timerfd_create", "timerfd_gettime", "timerfd_gettime64",
                          "timerfd_settime", "timerfd_settime64",
                          "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask",
                          "uname", "unlink", "unlinkat", "uretprobe",
                          "utime", "utimensat", "utimensat_time64", "utimes",
                          "vfork", "vmsplice", "wait4", "waitid", "waitpid", "write", "writev",
                          "bpf", "chroot", "clone3", "fanotify_init", "fsconfig", "fsmount",
                          "fsopen", "fspick", "get_mempolicy", "io_uring_enter", "io_uring_register",
                          "io_uring_setup", "iopl", "ioperm", "kcmp", "keyctl", "add_key",
                          "request_key", "lookup_dcookie", "mbind", "migrate_pages", "mount",
                          "mount_setattr", "move_mount", "umount2", "move_pages", "nfsservctl",
                          "open_tree", "perf_event_open", "pidfd_getfd", "pivot_root",
                          "process_vm_readv", "process_vm_writev", "ptrace", "quotactl",
                          "quotactl_fd", "reboot", "set_mempolicy", "set_mempolicy_home_node",
                          "setdomainname", "sethostname", "setns", "swapon", "swapoff",
                          "syslog", "unshare", "userfaultfd", "vhangup"
                        ],
                        "action": "SCMP_ACT_ALLOW"
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 0, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 8, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 131072, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 131080, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["clone"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 2114060288, "op": "SCMP_CMP_MASKED_EQ", "valueTwo": 0 }]
                      },
                      {
                        "names": ["arch_prctl"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 4114, "op": "SCMP_CMP_NE" }]
                      }
                    ]
                  }
    
                  EOF
    
                  echo "=== Mitigation complete. Ensure that in the Pod's securityContext, the seccompProfile of type Localhost is set to the profile profiles/seccomp-block-af_alg.json. Sleeping to maintain DaemonSet ==="
                  sleep infinity
              resources:
                requests:
                  cpu: 10m
                  memory: 16Mi
                limits:
                  memory: 32Mi
              volumeMounts:
                - name: kubelet-seccomp-root
                  mountPath: /kubelet-seccomp
          volumes:
            - name: kubelet-seccomp-root
              hostPath:
                path: /var/lib/kubelet/seccomp/profiles
                type: DirectoryOrCreate
  2. 部署該檔案。

    kubectl apply -f seccomp-block-AF_ALG.yaml
  3. 部署完成後,確認策略檔案已寫入各節點。

    # 確認 DaemonSet 在所有節點上均已就緒
    kubectl -n kube-system get daemonset ack-cve-2026-31431-mitigate
    # 查看策略寫入日誌(預期輸出包含 "Mitigation complete")
    kubectl -n kube-system logs -l app=ack-cve-2026-31431-mitigate --tail=3

2、為業務 Pod 配置 seccomp Profile

寫入的策略檔案不會自動應用到 Pod,需要在 Pod 的securityContext中顯式引用。

  1. 配置 seccomp Profile。

    在業務 Pod 的 securityContext 中,將 seccomp 設定檔類型設定為 Localhost,並通過 localhostProfile 指定設定檔在節點上的相對路徑(相對於節點預設根目錄 /var/lib/kubelet/seccomp)。

    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/seccomp-block-af_alg.json
  2. 完成修改後,重啟業務 Pod。

  3. 觀察業務 Pod 是否工作正常:

    • 如果啟動成功,確認 seccomp 配置生效。

    • 如果啟動失敗,請及時復原上述模板修改。