Kernel Exploit Lets Local Users Gain Root on Every Major Linux Distribution
On 2026-05-06 a new, high‑severity local privilege escalation flaw, identified as CVE-2026-31431, was disclosed by CODERED_VTA. The vulnerability affects virtually every mainstream Linux distribution released between 2017 and April 2026, including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, SUSE, Debian, Fedora, Arch, and many others. An unprivileged local user can trigger the flaw via the kernel’s crypto‑API (AF_ALG), specifically the algif_aead module that is enabled by default in standard configurations. The result is complete root access without requiring any network interaction.
Threat Context
Microsoft Defender has confirmed that the vulnerability is currently being tested by threat actors and is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. Although exploitation has mainly been observed in proof‑of‑concept (PoC) environments, the PoC’s simplicity—only ~732 bytes—and deterministic behavior mean that widespread exploitation is likely in the coming days, especially in cloud and containerized environments where untrusted code runs.
The flaw is a logic bug in the algif_aead module of the AF_ALG socket interface. It arises from an in‑place optimization introduced in 2017 that reuses source memory as destination during cryptographic operations. By abusing a combination of AF_ALG sockets, the splice() system call, and the kernel’s error handling during failed copy operations, an attacker can perform a controlled 4‑byte overwrite in the kernel page cache of any readable file, including privileged binaries such as /usr/bin/su. The corruption is entirely in‑memory, leaving the on‑disk file untouched, and the exploit is fully deterministic.
Attack Chain
- Reconnaissance. An attacker with limited visibility—such as a compromised CI runner or a foothold in a multi‑tenant container—gathers kernel version information from within the container or host. This requires no elevated privileges.
- Execution of PoC. A compact Python script interacts only with standard kernel interfaces. It does not rely on networking, compilation, or third‑party libraries, making it suitable for execution in restricted containers.
- Privilege Escalation. The script abuses AF_ALG and
splice()to write to the page cache, corrupting kernel structures associated with credentials or execution context. The result is that the attacker’s process becomes UID 0, effectively breaking out of the container or host into full root control.
Impact Assessment
Successful exploitation results in:
- Full root privilege escalation (confidentiality, integrity, and availability impact).
- Container breakout and multi‑tenant compromise.
- Lateral movement within shared environments.
Because the page cache is shared across containers and the host, the vulnerability can also facilitate container escape scenarios.
Mitigation and Protection Guidance
Immediate Actions (0‑24 Hours)
- Identify all affected instances in your environment.
- If patches exist, apply them immediately. Reference patches can be found at CVE‑2026‑31431 and vendor bulletins.
- If patches are unavailable, consider interim mitigations:
- Disable the AF_ALG socket interface (e.g.,
sysctl -w kernel.modules_disabled=1or equivalent). - Apply network isolation to restrict local access.
- Enforce strict access controls on privileged binaries.
- Disable the AF_ALG socket interface (e.g.,
- Review system logs for signs of exploitation, such as unusual
splice()usage or modifications to/usr/bin/suin the page cache.
Long‑Term Recommendations
- Patch or update kernels to the latest versions from your distribution.
- For containerized workloads, treat any container RCE as a potential host compromise and perform rapid node recycling after any compromise indicators.
- Implement host hardening practices, including SELinux or AppArmor enforcement, and limit
AF_ALGusage to trusted processes.
Detection and Hunting Guidance
Microsoft Defender XDR provides several detections for this vulnerability, including:
- Exploit signatures:
Linux/CopyFailExpDl.A,Python/CopyFail.A,Linux/CVE-2026-31431.A,Linux/CVE-2026-31431. - Behavioral indicators: suspicious
splice()system calls in conjunction with AF_ALG usage.
Customers can use Microsoft Security Copilot to investigate incidents, hunt for related activity, and apply mitigations. Microsoft Defender for Endpoint, for Cloud, and Vulnerability Management (MDVM) surface affected devices and provide automated patching recommendations.

