Cyber Resilience

CVE-2026-31431

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
30 June 2026
KEV Added
01 May 2026
Patch
29 April 2026
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9677 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-31431 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability resolved in CVE-2026-31431 affects the Linux kernel's crypto subsystem, specifically the algif_aead interface used for AEAD cipher operations via the AF_ALG socket family. The issue stems from commit 72548b093ee3, which introduced in-place operation handling; because source and destination buffers originate from separate memory mappings, this added unnecessary complexity around buffer management and associated data handling, classified under CWE-669.

Local users with access to the AF_ALG interface can exploit the flaw to achieve high-impact effects on confidentiality, integrity, and availability. An attacker able to supply crafted AEAD requests can leverage the in-place logic to corrupt or disclose kernel memory regions involved in cryptographic processing.

The referenced stable kernel commits revert the in-place changes while retaining direct copying of associated data, restoring out-of-place operation to eliminate the problematic code paths. These patches have been applied across multiple maintained branches.

EPSS scores rose from a low baseline to a recorded peak of 0.0406, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since…

more

the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

CWE(s)
KEV Date Added
01 May 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel vulnerability in crypto subsystem with low-priv attacker and full C/I/A impact directly enables T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-4911Same product: Canonical Ubuntu Linuxboth on KEV
CVE-2025-41244Same product: Debian Debian Linuxboth on KEV
CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2021-4034Same product: Canonical Ubuntu Linuxboth on KEV
CVE-2025-22225Same vendor: Vmwareboth on KEV
CVE-2014-6271Same product: Canonical Ubuntu Linuxboth on KEV
CVE-2016-5195Same product: Canonical Ubuntu Linuxboth on KEV
CVE-2026-24061Same product: Debian Debian Linuxboth on KEV
CVE-2025-41660Shared CWE-669
CVE-2025-22226Same vendor: Vmwareboth on KEV

Affected Assets

linux
linux kernel
7.0 · 4.14 — 5.10.254 · 5.11 — 5.15.204 · 5.16 — 6.1.170
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 10.1, 8.0, 9.0
amazon
amazon linux
all versions
canonical
ubuntu linux
14.04, 16.04, 18.04, 20.04, 22.04
debian
debian linux
11.0, 12.0, 13.0
opensuse
leap
15.3, 15.4, 15.5, 15.6
suse
caas platform
4.0
suse
enterprise storage
6.0, 7.0, 7.1
suse
manager proxy
4.0, 4.1, 4.2, 4.3
+29 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts local user access to the AF_ALG socket interface so only authorized processes can submit AEAD requests to algif_aead.

prevent

Enforces mandatory access checks on /proc/crypto and AF_ALG sockets before any in-place AEAD buffer handling occurs.

prevent

Disables or removes the algif_aead kernel module when AF_ALG AEAD functionality is not required, eliminating the vulnerable code path.

References