CVE-2026-31431 chains AF_ALG + splice() to write 4 controlled bytes into the page cache of any readable file, giving root via a 732-byte Python script.
Key Takeaways
Root cause: three independent kernel changes (2011 authencesn scratch write, 2015 AEAD interface, 2017 in-place optimization) intersect to place page cache pages in a writable scatterlist.
authencesn writes seqno_lo at dst[assoclen + cryptlen], past the output boundary, into chained page cache pages from splice(); recvmsg returns error but the write persists.
The corrupted page is never marked dirty, so on-disk checksums and file integrity tools miss it; only the in-memory page cache is modified.
Exploit works without races, retries, or compiled payloads – pure Python 3.10+ standard library – confirmed root on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, SUSE 16.
The same primitive crosses container boundaries because the page cache is shared host-wide; Part 2 covers Kubernetes node compromise.
Hacker News Comment Review
Commenters note the vulnerability has been silently exploitable since 2017, introduced through incremental refactors each reasonable in isolation – a classic latent intersection bug.
No broader technical debate in current comments; discussion is minimal and the thread appears to be a duplicate of an earlier submission.