Cloudflare detected, mitigated, and confirmed zero exploitation of CVE-2026-31431, a Linux kernel local privilege escalation via algif_aead, across 330 cities of infrastructure.
Key Takeaways
The bug is an out-of-bounds 4-byte write in authencesn via AF_ALG/algif_aead, allowing an attacker to patch any setuid binary like /usr/bin/su in the page cache without privileges.
Cloudflare’s behavioral detection flagged the exploit chain within minutes during internal validation, without a signature update or rule change.
The fastest mitigation was a bpf-lsm program blocking socket_bind for non-legitimate AF_ALG users, deployed fleet-wide without a reboot while kernel patching continued.
An eBPF visibility pipeline tracing AF_ALG socket usage was deployed fleet-wide to enumerate all legitimate users before the module block.
Despite a roughly weekly kernel build cycle, the fleet was still vulnerable at disclosure because the upstream fix had not yet been backported to the 6.12 LTS line.
Hacker News Comment Review
Commenters are most curious about the behavioral detection system: it watches for anomalous process execution patterns fleet-wide rather than matching specific CVE signatures, and the simple model is an allowlist of expected root processes.
Several operators noted that algif_aead is rarely used and the simple mitigation (modprobe blacklist + rmmod) was trivially safe for most environments, suggesting Cloudflare’s complexity came from internal crypto API users.
One commenter flagged a real supply-chain risk: LTS kernels from major distros may lag mainline security fixes by weeks, and the month-old upstream fix had not backported in time, undercutting the common assumption that LTS equals patched.
Notable Comments
@mkj: Asks why a custom kernel build still shipped with AF_ALG enabled, a fair minimal-attack-surface question.
@electra2012: “older distro LTS kernels are getting all the security fixes Canonical and Redhat would want you to believe” – sharp call on LTS kernel security assumptions.
