CVE-2026-31431:
CVE-2026-31431 is a high-severity Linux kernel vulnerability in the `crypto: algif_aead` subsystem caused by incorrect in-place resource transfer between memory mappings, classified as CWE-669 (Incorrect Resource Transfer Between Spheres), which can be exploited by a local user to achieve full privilege escalation.
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.8High- Published Date:Apr 22, 2026
- CISA KEV Date:May 1, 2026
- Industries Affected:20
Threat Predictions
- EPSS Score:3.9
- EPSS Percentile:88%
Exploitability
- Score:1.8
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-31431 is a high-severity Linux kernel vulnerability in the `crypto: algif_aead` subsystem caused by incorrect in-place resource transfer between memory mappings, classified as CWE-669 (Incorrect Resource Transfer Between Spheres), which can be exploited by a local user to achieve full privilege escalation.
Overview
CVE-2026-31431 is a HIGH severity (CVSS 3.1 score 7.8) local privilege escalation vulnerability in the Linux kernel's `crypto: algif_aead` subsystem. The flaw originates from commit `72548b093ee3`, which incorrectly implemented in-place AEAD cryptographic operations despite the source and destination buffers residing in distinct memory mappings. This incorrect resource transfer between spheres (CWE-669) enables a local attacker with low privileges to exploit the AF_ALG socket interface to perform unauthorized writes to kernel page cache memory, ultimately achieving full root access. The vulnerability has been actively exploited in the wild, as confirmed by its inclusion in the CISA Known Exploited Vulnerabilities catalog with a remediation due date of May 15, 2026. Public proof-of-concept exploits are available, including the "copy.fail" exploit and code published by Theori. The affected kernel version range spans 4.14 through 6.19.x, with broad impact across major Linux distributions.
Remediation
- The Linux kernel maintainers have issued patches across all affected stable branches. Users and administrators should update to the following fixed kernel versions or later: 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, or 6.19.12. Red Hat Enterprise Linux users should apply errata updates provided by Red Hat for RHEL 8, 9, and 10, and OpenShift Container Platform 4. Debian, Ubuntu, Amazon Linux, openSUSE, and SUSE Linux Enterprise users should apply the respective vendor-issued kernel security updates. As a temporary mitigation where patching is not immediately possible, restricting unprivileged access to AF_ALG sockets (e.g., via seccomp, LSM policies, or user namespace restrictions) may reduce the attack surface. CISA's BOD 22-01 guidance for cloud services should be followed where applicable. Organizations unable to apply mitigations should consider discontinuing use of affected kernel versions.
References
- - [CVE-2026-31431 NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- - [Linux Kernel Stable Patch (5.10)](https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c)
- - [Linux Kernel Stable Patch (5.15)](https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc)
- - [Linux Kernel Stable Patch (6.1)](https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667)
- - [Linux Kernel Stable Patch (6.6)](https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82)
- - [Linux Kernel Stable Patch (6.12)](https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b)
- - [Linux Kernel Stable Patch (6.18)](https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5)
- - [Linux Kernel Stable Patch (6.19)](https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237)
- - [Linux Kernel CVE Announcement](https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/)
- - [Red Hat CVE Advisory and Mitigation](https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation)
- - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431)
- - [Theori PoC Exploit - GitHub](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- - [copy.fail Exploit](https://copy.fail)
- - [WebSec Blog - Technical Write-up](https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170)
- - [xint.io Blog - Distribution Analysis](https://xint.io/blog/copy-fail-linux-distributions#the-fix-6)
- - [CERT/CC Vulnerability Note VU#260001](https://www.kb.cert.org/vuls/id/260001)
- - [oss-security Mailing List - Initial Disclosure](http://www.openwall.com/lists/oss-security/2026/04/29/23)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
