CVE-2026-31431: Linux Kernel AEAD Bug Fix
Active exploitation confirmed in the wild. CISA added this to the KEV catalog on 2026-05-01. Federal agencies must patch by 2026-05-15.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-31431 |
| CVSS score | 7.8 |
| Attack vector | Unknown |
| Authentication required | Unknown |
| Patch status | Fix/backports exist |
TL;DR - KEV-listed Linux kernel crypto bug in
algif_aeadtied to unsafe in-place handling. - Treat as exploited: prioritize kernel updates and restrict AF_ALG exposure. - Urgency: High.
Vulnerability at a Glance
CVE-2026-31431 is a Linux kernel vulnerability in the crypto subsystem, specifically in the algif_aead code path used by the AF_ALG socket interface for AEAD operations. The issue was resolved by reverting to operating out-of-place, eliminating in-place complexity that could lead to memory safety vulnerabilities.
Operationally, this matters because AF_ALG is a kernel/userspace boundary: userspace supplies buffers/parameters, and the kernel’s crypto code processes them. Bugs in buffer handling can lead to memory corruption, leakage, or other incorrect resource transfer behaviors.
Quick Facts Defenders Can Act On
The NVD record references several Linux stable commits as fixes/backports. If you maintain your own kernels, you can use those commit IDs to confirm your tree includes the fixes. If you consume vendor kernels, map those commits to vendor advisories.
What Is This Vulnerability?
The fix, titled:
crypto: algif_aead - Revert to operating out-of-place
removes the in-place complexity and copies associated data directly. This indicates vulnerabilities stem from unsafe assumptions when handling in-place encryption/decryption.
Technical Notes: Where It Lives
algif_aead is part of the Linux kernel crypto API plumbing for AF_ALG. Exploitation attempts may involve:
- Creating AF_ALG sockets with AEAD types
- Supplying associated data and plaintext/ciphertext buffers
- Triggering encrypt/decrypt operations
Who Is Affected?
At minimum, systems running Linux kernels that include the vulnerable algif_aead in-place logic are affected. The exact affected version ranges are not enumerated, so treat this as a kernel-line issue fixed via stable backports.
Fixed Version Number
- Fixed version number: Unknown from accessible primary sources.
- Fixed by commit(s): NVD references stable commits.
CVSS Score Breakdown
The CVSS score of 7.8 indicates a high severity. CISA KEV inclusion is a stronger prioritization signal than CVSS alone, indicating observed exploitation.
Exploitation Status
Exploited in the wild: Yes. CVE-2026-31431 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.
How to Detect It
Detection is challenging for kernel crypto boundary issues. Start by identifying whether AF_ALG is actively used in your environment. Look for signs of kernel instability or unusual syscalls from untrusted contexts.
Technical Notes (Detection)
-
Auditd Rule to Log AF_ALG Socket Creation:
bash auditctl -a always,exit -F arch=b64 -S socket -k net-socket -
Process-Level Discovery:
bash ss -a -f alg 2>/dev/null || true -
Kernel Log Patterns:
bash journalctl -k --since "2026-05-01" | grep -E "algif_aead|AF_ALG"
Mitigation and Patching
The preferred mitigation is to update to a kernel build that includes the stable backport fixes. If you manage fleets, prioritize patching based on exposure.
Technical Notes (Mitigation)
Debian/Ubuntu (APT):
sudo apt update
sudo apt install --only-upgrade linux-image-generic linux-headers-generic
sudo reboot
RHEL/CentOS (DNF/YUM):
sudo dnf update -y kernel
sudo reboot
References
For additional information on incident response, see our article on What is an Incident Response Plan.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.