[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-31431: Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability
ESO_SOC * DAS
ESO.SOC at das.oregon.gov
Fri May 1 15:29:22 PDT 2026
Good afternoon,
The SOC Services team is reporting on the vulnerability CVE-2026-31431: Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability. Due to its high visibility, we are providing this in-depth information.
History: CVE-2026-31431 was publicly disclosed on April 15, 2026, after security researchers identified a logic error in the AF_ALG userspace crypto interface. The CVSS v3.x base score is 7.8 (High) as reported by kernel.org and assigned by CISA-ADP.
Affected Versions
* Linux Kernel 4.10 through 6.12.11
Fixed Versions
* Linux Kernel 6.12.12
* Linux Kernel 6.6.75 (LTS)
* Linux Kernel 6.1.127 (LTS)
Vendor Advisory: Linux Kernel Security Update for AF_ALG Interface<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf31431bcfe2026>
Intelligence: On May 1, 2026, CISA confirmed the vulnerability as being exploited in wild and has added it to the Known Exploited Vulnerabilities Catalog.
Exploitability: Local Exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: No
Proof of Concept: Publicly available (GitHub 'CopyFail-LPE')
Zero Day: Yes
Workarounds: Disable AF_ALG module by running the following commands:
# echo 'install algif_aead /bin/false' > /etc/modprobe.d/disable-algif.conf
# rmmod algif_aead
Use Seccomp to block AF_ALG (Address Family 38) socket creation in containers
How it Works: The vulnerability (CWE-822: Untrusted Pointer Dereference) occurs when the splice() system call is used with an AF_ALG socket. A logic error allows userspace to bypass the read-only restriction on page-cache pages. By chaining a crypto operation, an unprivileged user can write controlled data directly into the kernel's page cache for sensitive binaries like /usr/bin/su, effectively neutralizing authentication logic in memory.
Post-Exploit Impact:
* Full System Compromise (Root Access) (CWE-269)
* Container Escape to Host (CWE-119)
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Log Entry
kernel: algif_aead: unexpected page flags 0x
Kernel log warning triggered during unsuccessful or specific exploit variations
Researcher Analysis
Tenable Plugins:
Plugin ID
Plugin Title
Severity
Platform
309203<https://www.tenable.com/plugins/nessus/309203>
Linux Distros Unpatched Vulnerability : CVE-2026-31431
High
Nessus
311299<https://www.tenable.com/plugins/nessus/311299>
Debian dsa-6238 : ata-modules-6.12.74+deb13+1-armmp-di - security update
High
Nessus
Recommended Actions:
Date Added to KEV Catalog: 2026-05-01
Due Date for Remediation: 2026-05-15
* Apply vendor-specific kernel security patches immediately
* Reboot systems to clear potentially corrupted memory page caches
* Verify host has not been compromised before applying patches.
* Apply appropriate updates provided by the vendor to vulnerable systems after testing.
* Run all software as a non-privileged user to reduce the impact of a successful attack.
* Apply the Principle of Least Privilege to all systems and services.
[cid:image001.png at 01DCD96D.C6D14B60]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260501/be6921ad/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260501/be6921ad/attachment-0001.png>
More information about the CDP-development
mailing list