Cyber Posture

CVE-2026-31431

HighCISA KEVActive ExploitationPublic PoCUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
18 May 2026
KEV Added
01 May 2026
Patch
29 April 2026
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0257 85.7th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31431 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 14.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the vulnerability by requiring timely application of Linux kernel patches that revert the unnecessary in-place operation in algif_aead.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables identification of systems affected by CVE-2026-31431 through regular vulnerability scanning of kernel versions.

SI-16 Memory Protection partial match
prevent

Mitigates potential memory corruption from improper in-place operations on different mappings via mechanisms like ASLR and non-executable memory.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local kernel vulnerability in crypto subsystem with low-priv attacker and full C/I/A impact directly enables T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since…

more

the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Deeper analysisAI

CVE-2026-31431 is a vulnerability in the Linux kernel's crypto/algif_aead component, stemming from an unnecessary in-place operation introduced in commit 72548b093ee3. The fix reverts to out-of-place operation, retaining only the copying of associated data, as source and destination buffers originate from different mappings, providing no performance benefit while adding complexity. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-669.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact disruption to confidentiality, integrity, and availability.

Mitigation involves applying the stable kernel patches referenced in the following commits: 19d43105a97be0810edbda875f2cd03f30dc130c, 3115af9644c342b356f3f07a4dd1c8905cd9a6fc, 893d22e0135fa394db81df88697fba6032747667, 8b88d99341f139e23bdeb1027a2a3ae10d341d82, and 961cfa271a918ad4ae452420e7c303149002875b, available via git.kernel.org.

Details

CWE(s)
CWE-669
KEV Date Added
01 May 2026

Affected Products

linux
linux kernel
7.0 · 4.14 — 5.10.254 · 5.11 — 5.15.204 · 5.16 — 6.1.170
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 10.1, 8.0, 9.0
amazon
amazon linux
all versions
canonical
ubuntu linux
all versions
debian
debian linux
11.0, 12.0, 13.0
opensuse
leap
15.3, 15.4, 15.5, 15.6
suse
caas platform
4.0
suse
enterprise storage
6.0, 7.0, 7.1
suse
manager proxy
4.0, 4.1, 4.2, 4.3
+29 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-41244Same product: Debian Debian Linuxboth on KEV
CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2025-22225Same vendor: Vmwareboth on KEV
CVE-2026-24061Same product: Debian Debian Linuxboth on KEV
CVE-2025-41660Shared CWE-669
CVE-2026-33265Shared CWE-669
CVE-2025-22226Same vendor: Vmwareboth on KEV
CVE-2026-39860Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31532Same product: Linux Linux Kernel

References