module
Copy Fail AF_ALG + authencesn Page-Cache Write
| Disclosed | Created |
|---|---|
| Apr 29, 2026 | May 1, 2026 |
Disclosed
Apr 29, 2026
Created
May 1, 2026
Description
CVE-2026-31431 is a logic flaw in the Linux kernel's authencesn AEAD template that, when reached via the
AF_ALG socket interface combined with splice(), allows an unprivileged local user to perform a controlled
4-byte write into the page cache of any readable file. Because the corrupted pages are never marked dirty, the
on-disk file is unchanged but the in-memory version is immediately visible system-wide, enabling local
privilege escalation by injecting shellcode into the page cache of a setuid-root binary such as /usr/bin/su.
The vulnerability was introduced by an in-place optimization in algif_aead.c (commit 72548b093ee3, 2017) and
affects essentially all major Linux distributions shipped since then until the fix in commit a664bf3d603d.
AF_ALG socket interface combined with splice(), allows an unprivileged local user to perform a controlled
4-byte write into the page cache of any readable file. Because the corrupted pages are never marked dirty, the
on-disk file is unchanged but the in-memory version is immediately visible system-wide, enabling local
privilege escalation by injecting shellcode into the page cache of a setuid-root binary such as /usr/bin/su.
The vulnerability was introduced by an in-place optimization in algif_aead.c (commit 72548b093ee3, 2017) and
affects essentially all major Linux distributions shipped since then until the fix in commit a664bf3d603d.
Authors
Xint Code
rootsecdev
Spencer McIntyre
Diego Ledda
rootsecdev
Spencer McIntyre
Diego Ledda
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.