CVE-2026-31431
Published: 22 April 2026
Summary
CVE-2026-31431 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability resolved in CVE-2026-31431 affects the Linux kernel's crypto subsystem, specifically the algif_aead interface used for AEAD cipher operations via the AF_ALG socket family. The issue stems from commit 72548b093ee3, which introduced in-place operation handling; because source and destination buffers originate from separate memory mappings, this added unnecessary complexity around buffer management and associated data handling, classified under CWE-669.
Local users with access to the AF_ALG interface can exploit the flaw to achieve high-impact effects on confidentiality, integrity, and availability. An attacker able to supply crafted AEAD requests can leverage the in-place logic to corrupt or disclose kernel memory regions involved in cryptographic processing.
The referenced stable kernel commits revert the in-place changes while retaining direct copying of associated data, restoring out-of-place operation to eliminate the problematic code paths. These patches have been applied across multiple maintained branches.
EPSS scores rose from a low baseline to a recorded peak of 0.0406, indicating emerging exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24639
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since…
more
the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
- CWE(s)
- KEV Date Added
- 01 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability in crypto subsystem with low-priv attacker and full C/I/A impact directly enables T1068 (Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts local user access to the AF_ALG socket interface so only authorized processes can submit AEAD requests to algif_aead.
Enforces mandatory access checks on /proc/crypto and AF_ALG sockets before any in-place AEAD buffer handling occurs.
Disables or removes the algif_aead kernel module when AF_ALG AEAD functionality is not required, eliminating the vulnerable code path.