CVE-2026-31431 exploits an out-of-bounds write in algif_aead to taint setuid binaries in the page cache; Cloudflare confirmed zero impact and deployed a bpf-lsm mitigation before patching kernels.
Key Takeaways
The bug is a 4-byte out-of-bounds write in authencesn triggered via recvmsg(), allowing an unprivileged user to overwrite any file in the page cache, including /usr/bin/su.
Cloudflare’s behavioral detection flagged an internal exploit validation within minutes, with no signature update or rule change needed.
Quick mitigation used a BPF LSM program blocking socket_bind for AF_ALG sockets, avoiding module removal that would have broken legitimate kTLS and IPsec users.
A fleet-wide eBPF visibility pipeline traced all AF_ALG socket usage, giving engineers a complete picture of legitimate users before enforcing the block.
Full kernel patch rollout used the existing four-week Edge Reboot Release pipeline; most infrastructure ran 6.12 LTS with a subset transitioning to 6.18.
Hacker News Comment Review
Commenters want more detail on Cloudflare’s behavioral detection system, specifically whether it uses a process allowlist for root execution rather than vulnerability-specific signatures.
Discussion flagged that HN strips leading “How” from titles, obscuring that this is a detailed technical walkthrough rather than a brief incident notice.
