eastbaycyber

CVE-2026-31431: Linux Kernel AEAD Bug Fix

CVE explainers 3 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-16
CISA Known Exploited Vulnerability

Active exploitation confirmed in the wild. CISA added this to the KEV catalog on 2026-05-01. Federal agencies must patch by 2026-05-15.

▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-31431
CVSS score 7.8
Attack vector Unknown
Authentication required Unknown
Patch status Fix/backports exist

TL;DR - KEV-listed Linux kernel crypto bug in algif_aead tied to unsafe in-place handling. - Treat as exploited: prioritize kernel updates and restrict AF_ALG exposure. - Urgency: High.

Vulnerability at a Glance

CVE-2026-31431 is a Linux kernel vulnerability in the crypto subsystem, specifically in the algif_aead code path used by the AF_ALG socket interface for AEAD operations. The issue was resolved by reverting to operating out-of-place, eliminating in-place complexity that could lead to memory safety vulnerabilities.

Operationally, this matters because AF_ALG is a kernel/userspace boundary: userspace supplies buffers/parameters, and the kernel’s crypto code processes them. Bugs in buffer handling can lead to memory corruption, leakage, or other incorrect resource transfer behaviors.

Quick Facts Defenders Can Act On

The NVD record references several Linux stable commits as fixes/backports. If you maintain your own kernels, you can use those commit IDs to confirm your tree includes the fixes. If you consume vendor kernels, map those commits to vendor advisories.

What Is This Vulnerability?

The fix, titled:

crypto: algif_aead - Revert to operating out-of-place

removes the in-place complexity and copies associated data directly. This indicates vulnerabilities stem from unsafe assumptions when handling in-place encryption/decryption.

Technical Notes: Where It Lives

algif_aead is part of the Linux kernel crypto API plumbing for AF_ALG. Exploitation attempts may involve:

  • Creating AF_ALG sockets with AEAD types
  • Supplying associated data and plaintext/ciphertext buffers
  • Triggering encrypt/decrypt operations
AnalystImpact · assess the risk

Who Is Affected?

At minimum, systems running Linux kernels that include the vulnerable algif_aead in-place logic are affected. The exact affected version ranges are not enumerated, so treat this as a kernel-line issue fixed via stable backports.

Fixed Version Number

  • Fixed version number: Unknown from accessible primary sources.
  • Fixed by commit(s): NVD references stable commits.

CVSS Score Breakdown

The CVSS score of 7.8 indicates a high severity. CISA KEV inclusion is a stronger prioritization signal than CVSS alone, indicating observed exploitation.

Exploitation Status

Exploited in the wild: Yes. CVE-2026-31431 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

ResponderRunbook · act now

How to Detect It

Detection is challenging for kernel crypto boundary issues. Start by identifying whether AF_ALG is actively used in your environment. Look for signs of kernel instability or unusual syscalls from untrusted contexts.

Technical Notes (Detection)

  1. Auditd Rule to Log AF_ALG Socket Creation: bash auditctl -a always,exit -F arch=b64 -S socket -k net-socket

  2. Process-Level Discovery: bash ss -a -f alg 2>/dev/null || true

  3. Kernel Log Patterns: bash journalctl -k --since "2026-05-01" | grep -E "algif_aead|AF_ALG"

Mitigation and Patching

The preferred mitigation is to update to a kernel build that includes the stable backport fixes. If you manage fleets, prioritize patching based on exposure.

Technical Notes (Mitigation)

Debian/Ubuntu (APT):

sudo apt update
sudo apt install --only-upgrade linux-image-generic linux-headers-generic
sudo reboot

RHEL/CentOS (DNF/YUM):

sudo dnf update -y kernel
sudo reboot

References

For additional information on incident response, see our article on What is an Incident Response Plan.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.