Overview
- CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities list Friday, citing evidence that attackers are already using it.
- The flaw in the kernel’s crypto authentication template lets a user overwrite four bytes in the in‑memory page cache of readable files, corrupting setuid‑root binaries to gain full control.
- A roughly 10‑line Python proof of concept is public, and researchers have spotted Go and Rust versions published online.
- Microsoft reports limited real‑world use so far but warns the bug can break container isolation and enable compromise across shared cloud and CI/CD hosts once attackers gain any foothold.
- Fixes are available in Linux kernels 6.18.22, 6.19.12, and 7.0, with U.S. civilian agencies facing a May 15 deadline and admins urged to patch or disable the vulnerable algif_aead crypto socket.