全部产品
Search
文档中心

容器服务 Kubernetes 版 ACK:漏洞CVE-2026-31431公告

更新时间:May 18, 2026

近日,互联网上披露了 Linux Kernel 存在本地权限提升漏洞 CVE-2026-31431。该漏洞允许本地低权限攻击者利用 AF_ALG 加密接口与 splice() 系统调用,向任意可读文件的页缓存写入受控的 4 字节数据,进而篡改 setuid 二进制文件获得 root 权限。该漏洞 CVSS 评分为 7.8(高危)。详见 CVE-2026-31431GitHub 安全公告

影响范围

CVE-2026-31431 允许本地非特权攻击者向系统页缓存(Page Cache)写入数据,进而可能导致本地提权与容器逃逸。影响范围如下:

解决方案

建议优先通过方案一:更换操作系统(推荐)完成修复。在升级镜像发布前的过渡期,可参见方案二:过渡方案(seccomp 策略)降低风险。

方案一:更换操作系统(推荐)

节点池

  • 新增节点:推荐使用已发布的官方修复镜像版本创建节点池,具体版本号见下表。

  • 存量节点:通过更换操作系统的方式更新到最新官方修复版本镜像。

    该修复需重启节点。修复过程会在重启前执行节点排水,导致业务重启。请评估风险并在业务低峰期完成修复。

ACK 节点池镜像的修复状态如下。

重要

以下镜像统计结果截至2026年05月08日 15:00(北京时间)。详见操作系统镜像发布记录

OS类型

OS名称

修复的OS版本及发布状态

公共镜像

Alibaba Cloud Linux 4 LTS 64位 容器优化版

aliyun_4_x64_20G_container_optimized_alibase_20260430.vhd(已发布)

Alibaba Cloud Linux 4 LTS 64位 容器优化 ARM版

aliyun_4_arm64_20G_container_optimized_alibase_20260430.vhd(已发布)

Alibaba Cloud Linux 3.2104 LTS 64位 容器优化版

aliyun_3_x64_20G_container_optimized_alibase_20260503.vhd(已发布)

Alibaba Cloud Linux 3.2104 容器优化版 ARM版

aliyun_3_arm64_20G_container_optimized_alibase_20260503.vhd(已发布)

ContainerOS

lifsea_3_x64_5G_alibase_20260507.qcow2(已发布)

ContainerOS GPU

lifsea_3_x64_10G_alibase_nvidia_570_20260507.qcow2(已发布)

Ubuntu 24.04

未发布

Ubuntu 22.04 ARM

未发布

自定义镜像

需根据自定义镜像 Linux 操作系统的官方发布指导进行相应更新。

云市场镜像

修复取决于各 Linux 镜像发行方的更新,请关注 ECS 云市场相关镜像的更新发布。

混合云节点池

需结合业务风险评估,根据各 Linux 操作系统发行方的指导自行进行升级。

灵骏节点池

具体影响范围和解决方案将在相关内容发布后同步更新至本公告。如遇问题,请联系容器服务团队。

方案二:过渡方案(seccomp 策略)

建议优先选择方案一完成升级。在相关系统镜像发布前,如需立即实施防护,可参见以下步骤。

使用 seccomp 策略可直接拦截 AF_ALG 的 Socket 创建行为,从内核入口处切断攻击面。

准备工作

实施前请确认:

  • 业务不依赖内核 AF_ALG 模块(该模块主要用于内核态密码学加速,如 IPsec、libkcapi)。

  • 业务 Pod 的 securityContext.seccompProfile 字段中尚未使用其他 Localhost 类型的 seccomp 配置。

1、部署 seccomp DaemonSet

该DaemonSet 会在集群每个 Linux 节点上自动写入 seccomp 策略文件,无需逐节点操作。策略文件就绪后,步骤 2中的业务 Pod 才能引用并生效。

  1. 保存以下内容为 seccomp-block-AF_ALG.yaml

    DaemonSet 将在所有 Linux 节点的 /var/lib/kubelet/seccomp/profiles/ 目录下写入 seccomp-block-af_alg.json 策略文件。

    展开查看YAML

    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: ack-cve-2026-31431-mitigate
      namespace: kube-system
      labels:
        app: ack-cve-2026-31431-mitigate
    spec:
      selector:
        matchLabels:
          app: ack-cve-2026-31431-mitigate
      template:
        metadata:
          labels:
            app: ack-cve-2026-31431-mitigate
        spec:
          priorityClassName: system-node-critical
          nodeSelector:
            kubernetes.io/os: linux
          tolerations:
            - operator: Exists
          containers:
            - name: mitigate
              image: registry-cn-hangzhou.ack.aliyuncs.com/acs/busybox:1.35
              command:
                - /bin/sh
                - -c
                - |
                  echo "=== CVE-2026-31431 Mitigation ==="
    
                  cat <<EOF > /kubelet-seccomp/seccomp-block-af_alg.json
                  {
                    "defaultAction": "SCMP_ACT_ERRNO",
                    "architectures": [
                      "SCMP_ARCH_X86_64",
                      "SCMP_ARCH_X86",
                      "SCMP_ARCH_X32",
                      "SCMP_ARCH_AARCH64",
                      "SCMP_ARCH_ARM"
                    ],
                    "syscalls": [
                      {
                        "names": ["socket"],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [
                          {
                            "index": 0,
                            "value": 38,
                            "op": "SCMP_CMP_EQ"
                          }
                        ]
                      },
                      {
                        "names": ["socket"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [
                          {
                            "index": 0,
                            "value": 40,
                            "op": "SCMP_CMP_NE"
                          }
                        ]
                      },
                      {
                        "names": [
                          "accept", "accept4", "access", "adjtimex", "alarm", "bind", "brk",
                          "cachestat", "capget", "capset", "chdir", "chmod", "chown", "chown32",
                          "clock_adjtime", "clock_adjtime64", "clock_getres", "clock_getres_time64",
                          "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64",
                          "close", "close_range", "connect", "copy_file_range", "creat",
                          "dup", "dup2", "dup3",
                          "epoll_create", "epoll_create1", "epoll_ctl", "epoll_ctl_old",
                          "epoll_pwait", "epoll_pwait2", "epoll_wait", "epoll_wait_old",
                          "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group",
                          "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fallocate",
                          "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchmodat2",
                          "fchown", "fchown32", "fchownat", "fcntl", "fcntl64", "fdatasync",
                          "fgetxattr", "flistxattr", "flock", "fork", "fremovexattr", "fsetxattr",
                          "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync",
                          "ftruncate", "ftruncate64",
                          "futex", "futex_requeue", "futex_time64", "futex_wait", "futex_waitv", "futex_wake",
                          "futimesat", "getcpu", "getcwd", "getdents", "getdents64",
                          "getegid", "getegid32", "geteuid", "geteuid32",
                          "getgid", "getgid32", "getgroups", "getgroups32", "getitimer",
                          "getpeername", "getpgid", "getpgrp", "getpid", "getppid", "getpriority",
                          "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32",
                          "getrlimit", "get_robust_list", "getrusage", "getsid", "getsockname",
                          "getsockopt", "get_thread_area", "gettid", "gettimeofday",
                          "getuid", "getuid32", "getxattr", "getxattrat",
                          "inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch",
                          "io_cancel", "ioctl", "io_destroy", "io_getevents",
                          "io_pgetevents", "io_pgetevents_time64", "ioprio_get", "ioprio_set",
                          "io_setup", "io_submit", "ipc", "kill",
                          "landlock_add_rule", "landlock_create_ruleset", "landlock_restrict_self",
                          "lchown", "lchown32", "lgetxattr", "link", "linkat", "listen",
                          "listmount", "listxattr", "listxattrat", "llistxattr", "_llseek",
                          "lremovexattr", "lseek", "lsetxattr",
                          "lsm_get_self_attr", "lsm_list_modules", "lsm_set_self_attr",
                          "lstat", "lstat64", "madvise", "membarrier", "memfd_create", "memfd_secret",
                          "mincore", "mkdir", "mkdirat", "mknod", "mknodat",
                          "mlock", "mlock2", "mlockall", "map_shadow_stack",
                          "mmap", "mmap2", "mprotect",
                          "mq_getsetattr", "mq_notify", "mq_open",
                          "mq_timedreceive", "mq_timedreceive_time64",
                          "mq_timedsend", "mq_timedsend_time64", "mq_unlink",
                          "mremap", "mseal", "msgctl", "msgget", "msgrcv", "msgsnd", "msync",
                          "munlock", "munlockall", "munmap",
                          "name_to_handle_at", "nanosleep", "newfstatat", "_newselect",
                          "open", "openat", "openat2", "pause",
                          "pidfd_open", "pidfd_send_signal", "pipe", "pipe2",
                          "pkey_alloc", "pkey_free", "pkey_mprotect",
                          "poll", "ppoll", "ppoll_time64", "prctl",
                          "pread64", "preadv", "preadv2", "prlimit64",
                          "process_mrelease", "pselect6", "pselect6_time64",
                          "pwrite64", "pwritev", "pwritev2",
                          "read", "readahead", "readlink", "readlinkat", "readv",
                          "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg",
                          "remap_file_pages", "removexattr", "removexattrat",
                          "rename", "renameat", "renameat2", "restart_syscall", "rmdir", "rseq",
                          "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo",
                          "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64",
                          "rt_tgsigqueueinfo",
                          "sched_getaffinity", "sched_getattr", "sched_getparam",
                          "sched_get_priority_max", "sched_get_priority_min", "sched_getscheduler",
                          "sched_rr_get_interval", "sched_rr_get_interval_time64",
                          "sched_setaffinity", "sched_setattr", "sched_setparam",
                          "sched_setscheduler", "sched_yield", "seccomp", "select",
                          "semctl", "semget", "semop", "semtimedop", "semtimedop_time64",
                          "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto",
                          "setfsgid", "setfsgid32", "setfsuid", "setfsuid32",
                          "setgid", "setgid32", "setgroups", "setgroups32", "setitimer", "setpgid",
                          "setpriority", "setregid", "setregid32", "setresgid", "setresgid32",
                          "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit",
                          "set_robust_list", "setsid", "setsockopt", "set_thread_area",
                          "set_tid_address", "setuid", "setuid32", "setxattr", "setxattrat",
                          "shmat", "shmctl", "shmdt", "shmget", "shutdown",
                          "sigaltstack", "signalfd", "signalfd4", "sigprocmask", "sigreturn",
                          "socketcall", "socketpair", "splice",
                          "stat", "stat64", "statfs", "statfs64", "statmount", "statx",
                          "symlink", "symlinkat", "sync", "sync_file_range", "syncfs", "sysinfo",
                          "tee", "tgkill", "time",
                          "timer_create", "timer_delete", "timer_getoverrun",
                          "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64",
                          "timerfd_create", "timerfd_gettime", "timerfd_gettime64",
                          "timerfd_settime", "timerfd_settime64",
                          "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask",
                          "uname", "unlink", "unlinkat", "uretprobe",
                          "utime", "utimensat", "utimensat_time64", "utimes",
                          "vfork", "vmsplice", "wait4", "waitid", "waitpid", "write", "writev",
                          "bpf", "chroot", "clone3", "fanotify_init", "fsconfig", "fsmount",
                          "fsopen", "fspick", "get_mempolicy", "io_uring_enter", "io_uring_register",
                          "io_uring_setup", "iopl", "ioperm", "kcmp", "keyctl", "add_key",
                          "request_key", "lookup_dcookie", "mbind", "migrate_pages", "mount",
                          "mount_setattr", "move_mount", "umount2", "move_pages", "nfsservctl",
                          "open_tree", "perf_event_open", "pidfd_getfd", "pivot_root",
                          "process_vm_readv", "process_vm_writev", "ptrace", "quotactl",
                          "quotactl_fd", "reboot", "set_mempolicy", "set_mempolicy_home_node",
                          "setdomainname", "sethostname", "setns", "swapon", "swapoff",
                          "syslog", "unshare", "userfaultfd", "vhangup"
                        ],
                        "action": "SCMP_ACT_ALLOW"
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 0, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 8, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 131072, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 131080, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["personality"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ" }]
                      },
                      {
                        "names": ["clone"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 2114060288, "op": "SCMP_CMP_MASKED_EQ", "valueTwo": 0 }]
                      },
                      {
                        "names": ["arch_prctl"],
                        "action": "SCMP_ACT_ALLOW",
                        "args": [{ "index": 0, "value": 4114, "op": "SCMP_CMP_NE" }]
                      }
                    ]
                  }
    
                  EOF
    
                  echo "=== Mitigation complete. Ensure that in the Pod's securityContext, the seccompProfile of type Localhost is set to the profile profiles/seccomp-block-af_alg.json. Sleeping to maintain DaemonSet ==="
                  sleep infinity
              resources:
                requests:
                  cpu: 10m
                  memory: 16Mi
                limits:
                  memory: 32Mi
              volumeMounts:
                - name: kubelet-seccomp-root
                  mountPath: /kubelet-seccomp
          volumes:
            - name: kubelet-seccomp-root
              hostPath:
                path: /var/lib/kubelet/seccomp/profiles
                type: DirectoryOrCreate
  2. 部署该文件。

    kubectl apply -f seccomp-block-AF_ALG.yaml
  3. 部署完成后,确认策略文件已写入各节点。

    # 确认 DaemonSet 在所有节点上均已就绪
    kubectl -n kube-system get daemonset ack-cve-2026-31431-mitigate
    # 查看策略写入日志(预期输出包含 "Mitigation complete")
    kubectl -n kube-system logs -l app=ack-cve-2026-31431-mitigate --tail=3

2、为业务 Pod 配置 seccomp Profile

写入的策略文件不会自动应用到 Pod,需要在 Pod 的securityContext中显式引用。

  1. 配置 seccomp Profile。

    在业务 Pod 的 securityContext 中,将 seccomp 配置文件类型设置为 Localhost,并通过 localhostProfile 指定配置文件在节点上的相对路径(相对于节点默认根目录 /var/lib/kubelet/seccomp)。

    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/seccomp-block-af_alg.json
  2. 完成修改后,重启业务 Pod。

  3. 观察业务 Pod 是否工作正常:

    • 如果启动成功,确认 seccomp 配置生效。

    • 如果启动失败,请及时回滚上述模板修改。