Kernel Exploit Lets Local Users Gain Root on Every Major Linux Distribution

Kernel Exploit Lets Local Users Gain Root on Every Major Linux Distribution

On 2026-05-06 a new, high‑severity local privilege escalation flaw, identified as CVE-2026-31431, was disclosed by CODERED_VTA. The vulnerability affects virtually every mainstream Linux distribution released between 2017 and April 2026, including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, SUSE, Debian, Fedora, Arch, and many others. An unprivileged local user can trigger the flaw via the kernel’s crypto‑API (AF_ALG), specifically the algif_aead module that is enabled by default in standard configurations. The result is complete root access without requiring any network interaction.

Threat Context

Microsoft Defender has confirmed that the vulnerability is currently being tested by threat actors and is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. Although exploitation has mainly been observed in proof‑of‑concept (PoC) environments, the PoC’s simplicity—only ~732 bytes—and deterministic behavior mean that widespread exploitation is likely in the coming days, especially in cloud and containerized environments where untrusted code runs.

The flaw is a logic bug in the algif_aead module of the AF_ALG socket interface. It arises from an in‑place optimization introduced in 2017 that reuses source memory as destination during cryptographic operations. By abusing a combination of AF_ALG sockets, the splice() system call, and the kernel’s error handling during failed copy operations, an attacker can perform a controlled 4‑byte overwrite in the kernel page cache of any readable file, including privileged binaries such as /usr/bin/su. The corruption is entirely in‑memory, leaving the on‑disk file untouched, and the exploit is fully deterministic.

Attack Chain

  1. Reconnaissance. An attacker with limited visibility—such as a compromised CI runner or a foothold in a multi‑tenant container—gathers kernel version information from within the container or host. This requires no elevated privileges.
  2. Execution of PoC. A compact Python script interacts only with standard kernel interfaces. It does not rely on networking, compilation, or third‑party libraries, making it suitable for execution in restricted containers.
  3. Privilege Escalation. The script abuses AF_ALG and splice() to write to the page cache, corrupting kernel structures associated with credentials or execution context. The result is that the attacker’s process becomes UID 0, effectively breaking out of the container or host into full root control.

Impact Assessment

Successful exploitation results in:

  • Full root privilege escalation (confidentiality, integrity, and availability impact).
  • Container breakout and multi‑tenant compromise.
  • Lateral movement within shared environments.

Because the page cache is shared across containers and the host, the vulnerability can also facilitate container escape scenarios.

Mitigation and Protection Guidance

Immediate Actions (0‑24 Hours)

  • Identify all affected instances in your environment.
  • If patches exist, apply them immediately. Reference patches can be found at CVE‑2026‑31431 and vendor bulletins.
  • If patches are unavailable, consider interim mitigations:
    • Disable the AF_ALG socket interface (e.g., sysctl -w kernel.modules_disabled=1 or equivalent).
    • Apply network isolation to restrict local access.
    • Enforce strict access controls on privileged binaries.
  • Review system logs for signs of exploitation, such as unusual splice() usage or modifications to /usr/bin/su in the page cache.

Long‑Term Recommendations

  • Patch or update kernels to the latest versions from your distribution.
  • For containerized workloads, treat any container RCE as a potential host compromise and perform rapid node recycling after any compromise indicators.
  • Implement host hardening practices, including SELinux or AppArmor enforcement, and limit AF_ALG usage to trusted processes.

Detection and Hunting Guidance

Microsoft Defender XDR provides several detections for this vulnerability, including:

  • Exploit signatures: Linux/CopyFailExpDl.A, Python/CopyFail.A, Linux/CVE-2026-31431.A, Linux/CVE-2026-31431.
  • Behavioral indicators: suspicious splice() system calls in conjunction with AF_ALG usage.

Customers can use Microsoft Security Copilot to investigate incidents, hunt for related activity, and apply mitigations. Microsoft Defender for Endpoint, for Cloud, and Vulnerability Management (MDVM) surface affected devices and provide automated patching recommendations.

References

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading