Linux Kernel algif_aead Privilege Escalation Now Actively Exploited: Patch Immediately
What Is Happening
A local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (algif_aead) is now under active exploitation. CVE-2026-31431 stems from an incorrect resource transfer between security spheres in the AEAD (Authenticated Encryption with Associated Data) interface. The flaw was introduced by commit 72548b093ee3, which added in-place operation logic that created exploitable memory handling issues when source and destination come from different mappings.
CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on May 1, 2026, confirming active exploitation in the wild. This vulnerability is part of a recent cluster of Linux kernel privilege escalation flaws, including the related Dirty Frag and Copy Fail vulnerabilities that target similar subsystems. Attackers with local access are chaining these flaws to gain root access on unpatched systems. The cryptographic socket interface exposure makes this particularly dangerous on multi-user systems and containerized environments.
The scope is significant: this affects kernel versions spanning nearly a decade of releases, from 4.14 through current 6.1.x branches. Enterprise Linux distributions including Red Hat Enterprise Linux 8 and 9, as well as OpenShift Container Platform 4.0, are confirmed affected. Any organization running Linux servers, containers, or cloud workloads needs to assess exposure immediately.
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| Linux Kernel | 4.14 through 5.10.253 | Vulnerable |
| Linux Kernel | 5.11 through 5.15.203 | Vulnerable |
| Linux Kernel | 5.16 through 6.1.169 | Vulnerable |
| Red Hat Enterprise Linux | 8.0 | Vulnerable |
| Red Hat Enterprise Linux | 9.0 | Vulnerable |
| OpenShift Container Platform | 4.0 | Vulnerable |
Patched Versions:
- 5.10.254 or later (LTS branch)
- 5.15.204 or later (LTS branch)
- 6.1.170 or later (LTS branch)
Patch Commits:
- Stable commit 19d43105a97be0810edbda875f2cd03f30dc130c
- Stable commit 3115af9644c342b356f3f07a4dd1c8905cd9a6fc
- Stable commit 893d22e0135fa394db81df88697fba6032747667
- Stable commit 8b88d99341f139e23bdeb1027a2a3ae10d341d82
For Red Hat systems, check the Red Hat Customer Portal for corresponding RHSA advisories. Kernel versions prior to 4.14 are not affected by this specific flaw but may be end-of-life and unsupported.
What Being on an Affected Version Means
An attacker with local user access can exploit this vulnerability to escalate privileges to root. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates low complexity with no user interaction required once the attacker has a foothold. The attack provides complete confidentiality, integrity, and availability impact on the affected system.
The practical attack path starts with any local shell access, whether through a compromised application, stolen credentials, or an unprivileged container escape. From there, the attacker triggers the algif_aead vulnerability through the AF_ALG socket interface to corrupt kernel memory and gain root. With root access, the attacker can read all files on the system, install persistent backdoors, pivot to other networked systems using cached credentials or SSH keys, disable security controls, and exfiltrate data. In containerized environments, this can break container isolation and compromise the underlying host.
Mitigation Steps
- Patch immediately to kernel version 5.10.254, 5.15.204, or 6.1.170 depending on your LTS branch. Apply the upstream commits listed above or use your distribution's package manager:
yum update kernel(RHEL/CentOS) orapt upgrade linux-image-*(Debian/Ubuntu).
- Restrict AF_ALG socket access as a compensating control if immediate patching is not possible. Add the following sysctl configuration to limit unprivileged user access to cryptographic sockets:
```
kernel.unprivileged_userns_clone=0
```
Additionally, consider using seccomp profiles to block the socket(AF_ALG, ...) syscall in containers.
- Audit local user access and remove unnecessary shell accounts. Reduce the attack surface by limiting who can log into affected systems.
- Monitor for exploitation attempts by watching for:
- Processes opening AF_ALG sockets (audit rule:
-a always,exit -F arch=b64 -S socket -F a0=38 -k algif_audit) - Unexpected privilege changes in audit logs (Event types USER_AUTH, ANOM_ABEND, ANOM_PROMISCUOUS)
- Kernel oops or panic messages in
/var/log/kern.logreferencing algif_aead or crypto subsystem - New setuid binaries or unexpected root processes spawning from low-privilege parents
- Prioritize container hosts and multi-tenant systems where local privilege escalation has the highest blast radius. Single-user workstations are lower priority but should still be patched within your normal cycle.
This is a P0 vulnerability with confirmed active exploitation; treat patching as an emergency action for any internet-exposed or multi-user Linux system.