MONDOO-CVE-2026-31431

A logic flaw in the Linux kernel's algif_aead (AF_ALG AEAD) interface, exploitable via the AF_ALG and splice() syscalls, allows unprivileged local users to write four bytes into the page cache of setuid binaries. The vulnerability affects all mainstream Linux distributions running kernels built between 2017 and the date of the upstream fix, and provides a "100% reliable" container escape and local privilege-escalation primitive without requiring race conditions, kernel offsets, or pre-installed exploit primitives.

The root cause is that pages from the page cache can incorrectly end up in writable destination scatterlists during in-place AEAD operations. The upstream fix (mainline commit a664bf3d603d) reverts a 2017 algif_aead optimization and forces out-of-place operation.

At the time of writing, no vendor has shipped a patched kernel package for any of the supported enterprise distributions (Ubuntu, Red Hat Enterprise Linux, SUSE, Amazon Linux, Debian stable). Only the Debian development branches (Forky, Sid) carry a fixed kernel.

Mitigation

Until a patched kernel is available from your distribution vendor, apply one of the following workarounds:

1. Disable the algif_aead kernel module (recommended for most systems):

   echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
   sudo modprobe -r algif_aead 2>/dev/null || true
   

2. Block AF_ALG socket creation via seccomp for untrusted workloads (containers, sandboxes). Add a seccomp profile that denies socket(AF_ALG, ...) to any workload that does not legitimately use the kernel crypto userspace API.

3. Once available, apply the patched kernel from your distribution vendor and reboot. The upstream fix is mainline commit a664bf3d603d ("crypto: algif_aead - Revert to operating out-of-place").

Attack Vector

Local, unprivileged user. No network access required. CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — Base Score 7.8...