CVE-2026-31431: Local Privilege Escalation via Page Cache Corruption in Linux Kernel AF_ALG

The Linux kernel exposes internal cryptographic algorithms to userspace via the AF_ALG socket family. This interface allows unprivileged userland applications to bind to specific algorithms, manage cryptographic sessions, and process data using kernel-space implementations. The vulnerability resides specifically within the Authenticated Encryption with Associated Data (AEAD) module, algif_aead, which manages data flow for algorithms such as authencesn(hmac(sha256),cbc(aes)).

The underlying flaw is classified as an Incorrect Resource Transfer Between Spheres (CWE-669). When algif_aead operates on incoming data, it attempts to optimize memory utilization by processing the decryption "in-place." This optimization avoids allocating redundant memory buffers by reusing the source memory region as the destination memory region for the cryptographic output.

The vulnerability manifests when an unprivileged user leverages the splice() system call to transfer file data into an AF_ALG socket. splice() passes file pages by reference rather than copying data. Consequently, the in-place decryption optimization directly operates on the memory-mapped pages of the source file. This allows an attacker to manipulate the cryptographic subsystem into writing controlled data into the page cache of sensitive system files, bypassing standard filesystem access controls.

The security impact is immediate and severe. By targeting SUID root binaries, such as /usr/bin/su, an attacker can overwrite critical executable instructions in memory. When the modified binary is executed, the kernel grants root privileges to the invoking user. Because the page cache is a shared kernel resource, this vulnerability explicitly serves as a container escape primitive.

The mechanical failure occurs during the construction of the destination scatterlist (SGL) for in-place decryption. When userspace invokes splice() to pipe a file's contents into the AF_ALG socket, the kernel populates the input SGL with references to the struct page entries representing the file's page cache. The algif_aead subsystem constructs the destination SGL by chaining the user-provided receive buffer with the "tag" portion of the input SGL.

The vulnerability is triggered by the authencesn algorithm, which manages IPsec sequence numbers. During the decryption process, authencesn executes a write operation to insert a 4-byte sequence number (seqno_lo) into the destination SGL. The specific offset for this write is calculated dynamically as assoclen + cryptlen.

In an attacker-controlled configuration, the user's output buffer is sized exactly to the assoclen + cryptlen boundary. The chained "tag" pages, which consist of the spliced file's page cache, begin immediately after this buffer. Consequently, the 4-byte seqno_lo write operation calculates its destination address directly at the start of the first chained page.

This architecture bypasses the Virtual File System (VFS) permission checks. The kernel writes 4 bytes of attacker-controlled Associated Data (AAD) into the page cache without marking the corresponding page as "dirty." The modification exists exclusively in volatile memory, leaving the underlying disk structures entirely untouched and desynchronized from the execution context.

Analyzing the vulnerable code path requires examining the scatterlist construction logic within crypto/algif_aead.c. Prior to the patch, the module explicitly permitted the source and destination scatterlists to overlap during processing. The memory pages provided by splice() were directly mapped as writable destinations for the hardware or software crypto engines.

The remediation strategy implemented in commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 fundamentally alters this behavior. The patch removes the in-place operation optimization for AEAD configurations within AF_ALG. By forcing an "out-of-place" operation, the kernel allocates isolated anonymous pages for the destination SGL, decoupling the file's page cache from the cryptographic write context.

The data flow for the exploit can be visualized via the following execution trace:

The fix completely severs the connection between node C and node E in the flow above. The kernel now correctly identifies that memory pages populated via splice() are read-only backing stores and rejects overlapping write attempts from the internal cryptographic subsystem.

Exploitation of CVE-2026-31431 does not depend on probabilistic mechanisms. It is a straight-line logic flaw that guarantees deterministic exploitation without heap grooming or race conditions. The attack requires unprivileged access to the host system and read access to the target binary.

The attack sequence begins with the attacker opening a read-only file descriptor to a target SUID binary, typically /usr/bin/su. Concurrently, the attacker creates an AF_ALG socket and binds it to the authencesn(hmac(sha256),cbc(aes)) algorithm string. The socket requires specific configuration parameters set via setsockopt to align the assoclen and cryptlen variables.

The attacker invokes the splice() system call, passing the file descriptor of the target binary to the pipe connected to the AF_ALG socket. A subsequent sendmsg() call provides a specially crafted Associated Data (AAD) buffer containing the precise 4-byte payload. This payload typically consists of machine code designed to alter the binary's control flow.

Executing the decryption request forces the kernel to process the AAD buffer and write the 4-byte payload into the specified offset within the binary's page cache. The attacker repeats this process to write larger payloads sequentially. Once the payload is complete, executing the in-memory binary yields a root shell, concluding the exploitation phase.

The successful exploitation of this vulnerability results in a complete system compromise. By escalating privileges to the root user, an attacker gains unrestricted control over the operating system, bypassing all user-space access controls and isolation mechanisms. The CVSS v3.1 score of 7.8 accurately reflects the high impact on confidentiality, integrity, and availability.

The vulnerability is highly effective as a container escape mechanism. Containers share the host kernel and its associated page cache. An unprivileged attacker inside a container can modify the page cache of a shared binary. When a privileged process on the host or in another container executes the poisoned binary, the host system is compromised.

The stealth characteristics of this exploit present significant challenges for detection. Because the page cache is modified directly without triggering the kernel's dirty page tracking, the changes are never written back to the disk. On-disk file integrity monitoring systems, such as Tripwire or AIDE, will compute hashes based on the unmodified disk blocks and will fail to detect the active compromise.

The modification persists in memory until the kernel's memory management subsystem reclaims the specific page under high memory pressure, or until the system is rebooted. This volatility allows attackers to establish persistence through other means while leaving minimal forensic artifacts within the system's storage.

The definitive remediation for CVE-2026-31431 requires upgrading the Linux kernel to a patched version. Distributions have issued security updates that incorporate mainline commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 and its dependencies. System administrators must apply these updates and reboot the affected hosts to eliminate the vulnerability.

Organizations operating in environments where immediate patching is unfeasible must implement preventative workarounds. Disabling the algif_aead kernel module prevents unprivileged users from instantiating the vulnerable socket configuration. This mitigation completely blocks the attack vector at the cost of breaking user-space applications that rely on hardware-accelerated AEAD cryptography.

To disable the module, administrators must update the modprobe configuration to map the module to /bin/false. Specifically, executing echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf prevents the module from loading dynamically. Active modules must be unloaded using rmmod algif_aead.

Detection strategies should leverage system call auditing to identify exploitation attempts. Security teams can deploy Auditd rules to monitor unprivileged invocations of socket(AF_ALG, ...) followed by splice() operations. Monitoring for EBADMSG errors from AF_ALG sockets provides secondary telemetry, as the cryptographic checksum fails following the intentional page cache corruption.