CVE-2026-31431 Linux Kernel Copy Fail vulnerability

  • Blog
  • CVE-2026-31431 Linux Kernel Copy Fail vulnerability

Knowledge Base

Site Reliability Experience

View Categories

CVE-2026-31431 Linux Kernel Copy Fail vulnerability

2 min read

Table of Contents

CVE-2026-31431 is a Linux kernel vulnerability affecting the algif_aead crypto module.
It allows a local user to escalate privileges to root by abusing unsafe memory handling via the AF_ALG interface.

Quick Impact Assessment #

  • Type: Local Privilege Escalation (LPE)
  • Access Required: Local user or container access
  • Affected: Most Linux kernels (≈2017+)
  • Exploit Reliability: High

Risk: Full root compromise from unprivileged access.

Root Cause #

The vulnerability is caused by incorrect handling of in-place AEAD operations:

// Unsafe assumption
if (src == dst) {
    process_in_place();
}

In reality, src and dst buffers are not guaranteed to reference the same memory,
leading to controlled memory corruption via page cache reuse.

How to Verify Exposure #

Check if module is loaded #

lsmod | grep algif_aead

Check kernel version #

uname -r

If running an unpatched kernel (< 6.1.170) and algif_aead is available, the system is potentially vulnerable.

4. Indicators of Exploitation #

  • Unexpected privilege escalation without logs
  • Abnormal usage of AF_ALG sockets
  • High frequency of splice() syscalls
  • Execution anomalies in setuid binaries

Reproduction Pattern (Simplified) #

// Open target binary
fd = open("/usr/bin/suid_binary", O_RDONLY);

// Create AF_ALG socket
sock = socket(AF_ALG, SOCK_SEQPACKET, 0);

// Map file into crypto path
splice(fd, NULL, sock, NULL, size, 0);

// Trigger corruption
sendmsg(sock, payload, ...);

The result would be a page cache overwrite and hence, a privilege escalation.

Immediate Mitigation #

Unload vulnerable module #

modprobe -r algif_aead

Block AF_ALG usage (example) #

Via seccomp / AppArmor / SELinux:

deny socket(AF_ALG)

Note: These are temporary mitigations.

Permanent Fix #

Apply kernel patches that remove unsafe in-place processing:

// Fixed approach
copy_to_temp(src);
process(temp, dst);

RELIANOID Protection #

Risk scope #

The affected kernel module is present in RELIANOID systems but is not loaded by default. Furthermore, RELIANOID software does not utilize the AF_ALG socket interface.

Therefore, the risk exposure for RELIANOID Load Balancers is minimal, provided no custom configurations explicitly enable or use this functionality.

Mitigation #

Mitigation support will be included in our upcoming releases:

  • RELIANOID Enterprise Edition 8.6
  • RELIANOID Community Edition 7.10

Recommended Actions #

  • Maintain the system updated to the latest available version
  • Audit local access (SSH, containers, CI/CD)
  • Restrict AF_ALG if not required
  • Monitor syscall anomalies

📄 Download this document in PDF format #

    EMAIL: *

    Powered by BetterDocs