Overview
- Xint Code disclosed CVE-2026-31431 on Wednesday with a 732-byte Python script that gains root by editing the in-memory copy of a setuid binary, a High-severity bug rated CVSS 7.8.
- Because the page cache is shared across a host, the write primitive can cross container boundaries and threaten Kubernetes nodes, CI runners, and other multi-tenant systems.
- The logic flaw in the authencesn path reachable through AF_ALG and splice needs no race and enables a four-byte write into any readable file’s page cache.
- Upstream reverted a 2017 in-place optimization in algif_aead in mainline commit a664bf3d603d, and Debian, Ubuntu, SUSE and others have issued kernel updates after public release, with Red Hat changing guidance to patch promptly.
- Admins who cannot update should disable the algif_aead module or block AF_ALG with seccomp, and they should reduce footholds by locking down exposed services and brute-force access.