The Cybersecurity and Infrastructure Security Agency recently expanded its Known Exploited Vulnerabilities catalog to include CVE-2026-31431, a logic flaw in the Linux kernel’s cryptographic template. This vulnerability, discovered by researchers at Xint Code, affects a wide range of popular distributions including Ubuntu, Red Hat Enterprise Linux, SUSE, and Amazon Linux. The flaw is particularly dangerous because it allows a local user to execute a deterministic 4-byte write into the page cache of any readable file, which can lead to a full system takeover. Because the exploit targets memory rather than the physical disk, the changes are silent and difficult for traditional security tools to detect.
The technical root of the issue lies in the interaction between the kernel's crypto subsystem and the splice system call. By using an unprivileged AF_ALG socket, an attacker can map sensitive file pages into a cryptographic operation. A specific error in the authencesn algorithm causes the kernel to use the output buffer as a scratch space, inadvertently writing controlled data past the intended boundary. This extra write lands directly in the page cache of a chosen file, such as a setuid-root binary. Because the kernel does not mark these corrupted pages as dirty, the file on the disk remains original while the version running in memory is compromised.
To carry out the attack, an operator uses a small script to target a common binary like the su utility. After binding to the vulnerable cryptographic mode and setting the parameters, the attacker uses the recv system call to trigger the decryption process. This process repeats until enough shellcode has been injected into the cached version of the binary. When the attacker subsequently executes the utility, the kernel loads the corrupted code from the cache. Since the utility naturally runs with root privileges, the injected code provides the attacker with total control over the operating system.
Research shows that this vulnerability has been present in the Linux kernel since an optimization made in 2017. It is highly portable and effective across different architectures, making it a more reliable threat than previous kernel exploits like Dirty Cow. The simplicity of the exploit is a major concern, as a script under one kilobyte in size can consistently achieve root access on modern systems such as Ubuntu 24.04 or RHEL 10.1. Furthermore, because it exploits the shared page cache, the vulnerability can be used to escape Kubernetes containers and move laterally within cloud environments.
In response to the active exploitation of this flaw, CISA has issued a directive requiring federal agencies to remediate the vulnerability by May 15, 2026. While the mandate specifically applies to Federal Civilian Executive Branch agencies, cybersecurity experts strongly advise private organizations to prioritize patching their Linux infrastructure. Most major distributions have released updates to address the logic bug in the cryptographic subsystem, and administrators are encouraged to apply these kernel patches immediately to prevent unauthorized privilege escalation.
Source: https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog