CVE-2026-31431: a straight-line logic flaw in authencesn chains through AF_ALG and splice() into a 4-byte page-cache write, rooting every Linux kernel built since 2017.
Key Takeaways
No race window, no per-distro kernel offsets required; the same 732-byte Python 3.10+ stdlib script works unmodified across Ubuntu, Amazon Linux, RHEL, and SUSE.
The root cause is a 2017 algif_aead in-place optimization that lets page-cache pages land in a writable destination scatterlist, silently exploitable for nearly a decade.
Exploit edits the page cache of a setuid binary (defaults to /usr/bin/su); change is non-persistent across reboot but the resulting root shell is real.
Container escape: because the page cache is shared across the host, a pod with local execution can compromise the node and cross tenant boundaries.
Immediate mitigation before patching: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead; this does not affect dm-crypt, kTLS, IPsec, SSH, or OpenSSL defaults.
Hacker News Comment Review
Multiple commenters immediately flagged the disclosure page listing “RHEL 14.3” as a tested distribution – RHEL’s current major is 10.x – raising questions about how carefully the marketing copy was reviewed versus the actual exploit work.
The disclosure page is vague on exact patched kernel versions; community members filled the gap, noting the fix lands in 6.18.22+, 6.19.12+, and 7.0+ for Arch-based distros, detail absent from the official mitigation section.
At least one commenter confirmed the exploit fails with an authentication token error on a patched Arch kernel (6.19.14-arch1-1), suggesting the fix is effective where deployed.
Notable Comments
@embedding-shape: Supplies the concrete patch version thresholds the page omits: 6.18.22+, 6.19.12+, 7.0+ for Arch/CachyOS; notes downstream stable series may still be vulnerable.
@jzb: “RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.”
