Linux flaw lets local users gain root on nearly all distros

Linux administrators need to move first on this one: CVE-2026-31431 lets a local user turn into root on vulnerable systems, and the blast radius reaches well beyond desktop machines into the cloud stacks, hospital servers, school networks and government systems that quietly depend on Linux. Ubuntu said the flaw affects every release before Resolute 26.04, Red Hat labeled it Important, and Azure Red Hat OpenShift clusters are also in scope.

The bug sits in the kernel’s cryptographic subsystem, specifically the algif_aead interface that uses AF_ALG sockets and splice(). Security researchers say it gives an unprivileged local user a controlled 4-byte write into the page cache of a readable file. If those bytes land in the right place, including a setuid-root binary such as /usr/bin/su, the attacker can obtain administrator privileges. The public exploit is only 732 bytes of Python and, crucially, does not depend on per-distro offsets, version checks or a race condition, which makes it unusually portable across Linux builds.

Theori found the flaw with its AI-driven Xint Code platform after about an hour of scanning the Linux crypto subsystem, a sign that defenders are beginning to use automated tooling to surface old weaknesses faster than attackers can weaponize them. The vulnerability traces back to a 2017 kernel change that enabled in-place crypto operations. Theori reported it to the Linux kernel security team on March 23, 2026. A mainline patch followed on April 1, the CVE was assigned on April 22, and public disclosure came on April 29.

The response has already become a patch-and-mitigate race. Ubuntu assigned the issue a CVSS 3.1 score of 7.8 and said its mitigation disables the affected kernel module in the kmod package, though that can interfere with hardware-accelerated cryptography and may require a reboot. Red Hat said fixes would be released as soon as possible and that Azure Red Hat OpenShift 4.16, 4.18, 4.19, 4.20 and 4.21 were affected; its workaround blacklists algif_aead with initcall_blacklist=algif_aead_init through MachineConfig. Tenable said the flaw is being compared with Dirty Cow and Dirty Pipe, but unlike Dirty Cow it does not rely on a race condition and is reported to work reliably across major distributions. BleepingComputer reported demonstrations on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1 and SUSE 16, underscoring how a small kernel bug can become a national-scale infrastructure problem.