Overview
- CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on Friday, citing evidence of active exploitation and setting a May 15 deadline for federal systems.
- The bug in the kernel’s authencesn crypto path lets any unprivileged user write four chosen bytes into the page cache of a readable file, which enables in-memory edits to setuid binaries for instant root.
- Researchers released a 732-byte Python proof-of-concept on April 29, with Go and Rust ports now public, lowering the bar for attackers and testers.
- Because the page cache is shared, successful use can break container isolation and allow takeovers of multi-tenant hosts, CI runners, and Kubernetes nodes.
- Fixes landed in supported kernels such as 6.18.22, 6.19.12 and 7.0, and Microsoft reports only limited in-the-wild use so far but urges rapid patching and isolation.