CVE Advisories 7 min read

CVE-2026-31431: Linux Kernel Page Cache Write via algif_aead

Rodrigo Garcia

May 1, 2026

What Is CVE-2026-31431?

CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel’s algif_aead interface, the AF_ALG socket type used for userspace access to kernel AEAD (Authenticated Encryption with Associated Data) ciphers. An unprivileged local user can exploit a flaw in how the kernel handles in-place crypto operations to write arbitrary data to the page cache of files they should not be able to modify.

The root cause is commit 72548b093ee3, introduced in Linux 4.14, which changed algif_aead to operate in-place. The intent was a performance optimization, but source and destination buffers come from different memory mappings. When the kernel treats them as a single buffer, the resulting write lands in the page cache of the destination file. An attacker can combine this with splice() to pull pages of a SUID binary (like /usr/bin/su) into a pipe, then send crafted AEAD messages through an AF_ALG socket to overwrite controlled offsets in the page cache. The corrupted binary executes with root privileges. This is a variant of the Dirty Pipe technique (CVE-2022-0847), but routed through the crypto subsystem instead of the pipe buffer.

The weakness is classified as CWE-669: Incorrect Resource Transfer Between Spheres. The fix reverts to out-of-place operation and copies the associated data directly.

7.8 CVSS

high

Attack Vector

Local

Complexity

Low

Privileges

Low

User Interaction

None

EPSS

0.0%

EPSS Rank

1th %ile

KEV Listed

Affected

Linux Kernel 4.14+

Sources

NVD

MITRE

EPSS

KEV

How Serious Is It?

CVSS Score

NVD rates CVE-2026-31431 at 7.8 High (CVSS v3.1). The score comes from the Linux kernel CNA and was adopted by NVD as the primary assessment. No CNA-vs-NVD disagreement exists for this CVE.

The vector breakdown: the attack is local (requires shell access or code execution on the target), low complexity (no special conditions), and needs only low privileges (any unprivileged user). No user interaction is required. Impact is high across confidentiality, integrity, and availability because page cache writes give the attacker control over file contents, which is a stepping stone to arbitrary code execution as root.

4.0

7.0

9.0

0 10

Exploitation Probability

The EPSS score is 0.008%, placing CVE-2026-31431 in the 0.7th percentile. This is a low predicted exploitation probability relative to the overall CVE population. EPSS models internet-facing, mass-exploitation patterns, so local privilege escalation bugs that require shell access tend to score lower regardless of their actual severity once an attacker has a foothold.

EPSS Score

0.01% probability

of exploitation in the next 30 days. Ranks higher than 1% of all scored CVEs.

Active Exploitation

CVE-2026-31431 is not in the CISA Known Exploited Vulnerabilities catalog.

CISA’s ADP Vulnrichment program has assessed it with the following SSVC decision points:

Exploitation: proof-of-concept (PoC exists)
Automatable: no (requires local access)
Technical Impact: total (full system compromise)

A public exploit repository exists at theori-io/copy-fail-CVE-2026-31431 on GitHub. The PoC (copy_fail_exp.py) opens a SUID binary read-only, uses splice() to load its pages into a pipe, then corrupts 4-byte chunks at controlled offsets through the AF_ALG AEAD interface. It has been tested successfully on Ubuntu 24.04 LTS (kernel 6.17), Amazon Linux 2023 (kernel 6.18), RHEL 10.1 (kernel 6.12), and SUSE 16 (kernel 6.12). The researchers also published a dedicated domain at copy.fail and a detailed writeup on the technique. Multiple threads on the oss-security mailing list discussed the vulnerability and its variants through late April 2026.

Who Is Affected?

The vulnerability affects the Linux kernel from version 4.14 (where commit 72548b093ee3 introduced in-place AEAD operation) through all subsequent versions that did not receive the fix. The affected subsystem files are crypto/algif_aead.c, crypto/algif_skcipher.c, crypto/af_alg.c, and include/crypto/if_alg.h.

The fix has been backported to the following stable kernel branches:

Branch	Fixed In
5.10.x	5.10.254
5.15.x	5.15.204
6.1.x	6.1.170
6.6.x	6.6.137
6.12.x	6.12.85
6.18.x	6.18.22
6.19.x	6.19.12
7.0+	7.0 (fixed at release)

If you run any kernel between 4.14 and the fix versions listed above, your systems are vulnerable. The AF_ALG socket family is available to unprivileged users by default on most distributions, so no special capabilities are required to reach the vulnerable code path. Kernels before 4.14 are not affected because the in-place operation code did not exist. Kernels 4.19.x and 5.4.x are end-of-life and do not have backported fixes listed in the CNA advisory.

What Should You Do?

Patches and Updates

Update to the fixed kernel version for your branch. The patches are available in the stable kernel Git tree:

Distribution-specific kernel updates (Ubuntu, RHEL, Debian, SLES) will follow their own release cadence. Check your distribution’s security tracker for the package version that includes this fix.

Workarounds

No vendor-provided workarounds are included in the CNA advisory. Two mitigations can reduce exposure until you patch:

Blocklist the module. Run modprobe -r algif_aead and add blacklist algif_aead to a file in /etc/modprobe.d/. This prevents the vulnerable code path from being reached. It may break applications that use the AF_ALG interface for AEAD operations (some VPN and TLS implementations, libkcapi).
Audit AF_ALG + splice usage. Monitor for socket(AF_ALG, …) syscalls paired with splice() targeting SUID binaries. This combination is unusual in normal workloads and is the signature pattern for this exploit.

Detection and Visibility

Check your running kernel version with uname -r and compare it against the fix table above. For fleet-wide coverage, you need to know which kernel version every Linux machine in your environment is running.

If you manage dozens or hundreds of Linux servers, checking each one manually does not scale. An asset inventory that pulls data from your EDR, vulnerability scanner, and configuration management tools shows you which machines run affected kernel versions in one view. Koopic connects to your existing tools and surfaces exactly which assets match.

Timeline

Apr 30, 2026 exploit

CISA ADP Vulnrichment: PoC exploitation, total technical impact

Apr 29, 2026 disclosure

oss-security mailing list discussion begins

Apr 22, 2026 nvd

NVD published (Awaiting Analysis)

Apr 22, 2026 disclosure

MITRE CNA record published by Linux kernel team

Apr 22, 2026 patch

Fix commits pushed to stable kernel branches

References

Data Sources

NVD

MITRE

EPSS

KEV

See it on your data

Work with us as a design partner - we'll show you how risk-based prioritization works on your actual environment.

See it on your data