Description
CVE-2026-31431 is a logic flaw in the Linux kernel's authencesn AEAD template that, when reached via the AF_ALG socket interface combined with splice(), allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file. Because the corrupted pages are never marked dirty, the on-disk file is unchanged but the in-memory version is immediately visible system-wide, enabling local privilege escalation by injecting shellcode into the page cache of a setuid-root binary such as /usr/bin/su. The vulnerability was introduced by an in-place optimization in algif_aead.c (commit 72548b093ee3, 2017) and affects essentially all major Linux distributions shipped since then until the fix in commit a664bf3d603d.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/cve_2026_31431_copy_failmsf undefined(cve_2026_31431_copy_fail) > show actions ...actions...msf undefined(cve_2026_31431_copy_fail) > set ACTION < action-name >msf undefined(cve_2026_31431_copy_fail) > show options ...show and set options...msf undefined(cve_2026_31431_copy_fail) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub