A high-severity Linux kernel vulnerability in the algif_aead crypto interface allows local, low-privileged users to escalate to root, and CISA has confirmed it warrants urgent federal remediation.
What Is It
CVE-2026-31431 is an incorrect resource transfer between spheres vulnerability (CWE-669) in the Linux kernel's algif_aead crypto module. The flaw stems from in-place operation in algif_aead, where source and destination buffers come from different mappings. The upstream fix reverts commit 72548b093ee3 (except for the copying of associated data) so that algif_aead operates out-of-place, removing the complexity added for in-place handling. The issue carries a CVSS 3.1 base score of 7.8 (HIGH), vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local access, low privileges, no user interaction, with high impact to confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-05-01, confirming active exploitation in the wild. Known ransomware campaign use is listed as Unknown. Because the flaw allows privilege escalation from any local unprivileged account, it is a prime post-initial-access primitive; attackers who land on a Linux host through phishing, a web app foothold, or a compromised container can pivot to root and the kernel.
What's Vulnerable
The vulnerability affects a broad sweep of mainline Linux kernels from 4.14 through 6.19.12, plus 7.0 release candidates rc1–rc6. Specifically, kernels are vulnerable in the ranges: 4.14 → <5.10.254, 5.11 → <5.15.204, 5.16 → <6.1.170, 6.2 → <6.6.137, 6.7 → <6.12.85, 6.13 → <6.18.22, and 6.19 → <6.19.12. Downstream distributions explicitly listed include Red Hat Enterprise Linux 8/9/10/10.1, OpenShift Container Platform 4.0, Amazon Linux, Ubuntu, Debian 11/12/13, and openSUSE Leap 15.3–15.6.
Patch Status
Fixed in upstream stable kernels 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, and 6.19.12. CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal due date: 2026-05-15.