Skip to main content

Linux Kernel CVE-2026-31431

| EUVDEUVD-2026-24639 HIGH
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-22 Linux GHSA-2274-3hgr-wxv6
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

21
Added to CISA KEV
May 04, 2026 - 18:16 cisa
CISA KEV
CIRCL Exploitation Confirmed
May 04, 2026 - 18:16 circl
CIRCL KEV
PoC Detected
May 04, 2026 - 18:16 vuln.today
Public exploit code
Patch released
May 04, 2026 - 18:16 nvd
Patch available
Added to CISA KEV
May 01, 2026 - 19:02 CISA
Patch released
May 01, 2026 - 06:00 NVD
Analysis Updated
Apr 30, 2026 - 10:12 vuln.today
v6 (cvss_changed)
article_added
Apr 30, 2026 - 10:05 vuln.today
trending_spike
Apr 30, 2026 - 10:05 vuln.today
Started Trending
Apr 30, 2026 - 10:04 vuln.today
14.4
Analysis Updated
Apr 30, 2026 - 09:27 vuln.today
v5 (cvss_changed)
Analysis Updated
Apr 30, 2026 - 08:28 vuln.today
v4 (cvss_changed)
Analysis Updated
Apr 30, 2026 - 06:27 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 30, 2026 - 01:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 21:22 vuln.today
cvss_changed
exploit_published
Apr 29, 2026 - 00:00 copy.fail
Analysis Generated
Apr 27, 2026 - 14:24 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24639
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 08:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: algif_aead - Revert to operating out-of-place

This mostly reverts commit 72548b093ee3 except for the copying of the associated data.

There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

AnalysisAI

Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability.

Technical ContextAI

The algif_aead interface provides userspace access to kernel AEAD (Authenticated Encryption with Associated Data) cryptographic operations through AF_ALG sockets. The vulnerability exists in the kernel's crypto subsystem where commit 72548b093ee3 attempted to optimize performance by processing data in-place rather than copying between source and destination buffers. This optimization introduced CWE-669 (Incorrect Resource Transfer Between Spheres) violations, creating memory mapping confusion between userspace and kernel address spaces. The cryptographic API's handling of associated data and the interaction between different memory mappings allows crafted operations to corrupt kernel memory structures. Affected products identified via CPE include Linux kernel versions starting from 4.14, with patches targeting stable branches 6.18.22, 6.19.12, and mainline 7.0.

RemediationAI

Upgrade to patched kernel versions: 6.18.22, 6.19.12, or 7.0 and later from https://git.kernel.org/stable/. The fix reverts the problematic in-place operation logic in algif_aead while preserving associated data copying efficiency. For systems unable to immediately patch, restrict access to /proc/crypto and AF_ALG socket creation by disabling CONFIG_CRYPTO_USER_API_AEAD at compile time or using kernel module blacklisting for algif_aead (modprobe blacklist). This prevents userspace from invoking the vulnerable code path entirely but breaks applications depending on userspace AEAD operations (some VPN clients, custom crypto implementations). AppArmor or SELinux policies can restrict CAP_NET_ADMIN capability required for AF_ALG socket operations to trusted processes only, though this may impact legitimate cryptographic software. Monitor for unusual AF_ALG socket activity via auditd rules on socket(AF_ALG) syscalls. Compensating controls have significant functional impact - prioritize kernel patching over workarounds.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.140 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.127 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.156 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.128 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.170 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.118 Affected
Container suse/sle-micro/base-5.5:2.0.4-5.8.270 Affected
Container suse/sle-micro/kvm-5.5:2.0.4-3.5.520 Affected

Share

CVE-2026-31431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy