Critical Linux kernel vulnerability CVE-2026-31431

A critical vulnerability CVE-2026-31431 has been discovered in the Linux kernel's cryptographic subsystem (AF_ALG interface). It allows a local user to escalate privileges to root.

On a standard server, this means unauthorized privilege escalation. In containerized environments (Docker, Kubernetes), the vulnerability can be used to escape the container and gain full control over the host system.

CentOS 7 and distributions running older kernel branches are not affected.

Checking your server

Run the following command in the terminal to check whether your system is vulnerable:

python3 -c "
import socket, sys
try:
    s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
    s.bind(('aead', 'authencesn(hmac(sha256),cbc(aes))'))
    print('VULNERABLE')
    sys.exit(1)
except OSError as e:
    print('Not vulnerable:', e)
    sys.exit(0)
"

If the output says VULNERABLE, your system is affected and requires immediate action.

Mitigation

Until an official patch is released, disable the affected kernel module.

Ubuntu, Debian, and similar systems

# Create a blacklist config
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf

# Unload the module if it's currently loaded
rmmod algif_aead 2>/dev/null || true

If you have Ubuntu with auto-updates enabled (they are enabled by default), then you do not need to perform the above step.

CentOS, RHEL, AlmaLinux, Rocky Linux

# Blacklist via kernel command line (persistent across updates)
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

# Reboot to apply
reboot -h now

After applying the temporary fix, monitor your distribution's official repositories and install the kernel patch as soon as it becomes available.

References

• Vulnerability analysis (Copy.fail)
• NIST NVD: CVE-2026-31431
• MITRE CVE entry
• Distribution trackers: Debian | Red Hat | Ubuntu | SUSE