What is CVE-2026-31431?

A Linux kernel crypto subsystem vulnerability in algif_aead. The kernel reverts commit 72548b093ee3 to stop operating in-place — the in-place mode added complexity around associated-data handling without performance benefit, and the revert closes the resulting security gap. CVSS 3.1 base score 7.8 (HIGH), CWE-669 (Incorrect Resource Transfer Between Spheres).

Is CVE-2026-31431 remotely exploitable?

No. The CVSS vector is AV:L (Local) — exploitation requires the attacker to already have a local user account or code execution on the target host. Low-privilege users (PR:L) can use the algif_aead interface via AF_ALG sockets, so the exposure window is any system that grants untrusted users shell access.

Does CVE-2026-31431 affect my homelab?

Depends on threat model. Single-operator homelabs where only you have shell access: low immediate risk. Hosts that grant guest or container-user shell access (multi-user dev boxes, Jupyter notebooks with shell access, sandboxed accounts): higher risk — patch promptly. Update the kernel via your distro's normal channels (apt full-upgrade / dnf upgrade) and reboot.

How do I tell if my kernel is patched?

Run `uname -r` to see the running kernel. Then compare against your distro's CVE tracker (Ubuntu: ubuntu.com/security/CVE-2026-31431; Debian: security-tracker.debian.org; Red Hat / Rocky / AlmaLinux: access.redhat.com/security/cve/CVE-2026-31431). The fix has been backported to stable kernel branches via 8 separate commits — the per-distro tracker is the authoritative source for whether your specific kernel build includes them.

CVE feed → CVE-2026-31431

CVE-2026-31431 — Linux kernel `algif_aead` in-place revert

Linux kernel crypto subsystem vulnerability. The algif_aead userspace AEAD interface reverts to operating out-of-place after the previous in-place implementation mishandled associated data across user/kernel sphere boundaries. Local privilege escalation surface; not remotely exploitable. Patched in stable kernel branches; pick up via normal distro kernel updates.

TL;DR

Local attack only (CVSS AV:L). Attacker needs an existing low-privilege user account on the host.
Vector: the AF_ALG socket family's algif_aead module, which exposes kernel-side AEAD ciphers (AES-GCM, ChaCha20-Poly1305, etc.) to userspace.
Risk to a single-operator homelab: low — you'd need to grant untrusted users shell access on the box first.
Risk to multi-user / sandboxed / dev boxes: moderate — patch on the next normal kernel update cycle.
Fix: apply your distro's latest kernel security update, reboot. No special action needed beyond the usual cadence.

At a glance

CVE ID	CVE-2026-31431
Severity	High (CVSS 7.8)
CVSS 3.1 score	7.8
CVSS vector	`AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
CWE	CWE-669 (Incorrect Resource Transfer Between Spheres)
Attack vector	Local — requires existing local account
Privileges required	Low (any local user that can `socket(AF_ALG, …)`)
CISA KEV listed	No (as of 2026-05-11)
Published	2026-04-22
Last updated (NVD)	2026-05-11

What the kernel actually changed

From the upstream commit message:

crypto: algif_aead - Revert to operating out-of-place

This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Plain-English read: the algif_aead path's in-place mode had become a source of cross-sphere resource transfer bugs (CWE-669). The simpler out-of-place implementation removes the problematic code path entirely. The CVE is being assigned to the revert as the canonical security fix.

Per-distro fix status

Fix versions land via the normal kernel security update channels. Cross-reference the running kernel against your distro's tracker:

Distro	Tracker	Update path
Ubuntu 24.04 / 22.04	ubuntu.com/security/CVE-2026-31431	`sudo apt update && sudo apt full-upgrade -y && sudo reboot`
Debian 12 (Bookworm)	security-tracker.debian.org	`sudo apt update && sudo apt full-upgrade -y && sudo reboot`
Rocky Linux 9 / RHEL 9	access.redhat.com/security/cve/CVE-2026-31431	`sudo dnf upgrade -y kernel && sudo reboot`
AlmaLinux 9	errata.almalinux.org	`sudo dnf upgrade -y kernel && sudo reboot`
Alpine	security.alpinelinux.org	`sudo apk update && sudo apk upgrade && sudo reboot`
Mainline / stable kernels	kernel.org stable branches (see Authoritative sources below for the 8 backport commits)	Update via your kernel-build pipeline

Quick check on a host

Determine the running kernel version and whether the system has a newer one installed but not yet booted:

# Running kernel:
uname -r

# Installed but not yet running (the answer tells you to reboot):
# Debian / Ubuntu
ls /boot/vmlinuz-* | sort -V | tail -1

# RHEL / Rocky / AlmaLinux
rpm -q --last kernel | head -2

# Reboot required indicator on Debian/Ubuntu:
[ -f /var/run/reboot-required ] && echo "REBOOT REQUIRED" || echo "No pending reboot"

Mitigations short of patching

If you can't reboot immediately, the exposure is limited to users who can open AF_ALG sockets. Two mitigations:

Block AF_ALG via seccomp / LSM for any user account that doesn't need cryptographic kernel access (almost no userspace tool does — most use OpenSSL / libsodium directly, not AF_ALG).
Unload the module if no service uses it: sudo rmmod algif_aead (will fail if in use; check with lsmod | grep algif_aead). Blacklist it to prevent reload: add blacklist algif_aead to /etc/modprobe.d/blacklist-algif.conf.

Both are workarounds, not fixes. Patch as soon as the kernel update window opens.

What Noxen does about this

Noxen flags every host whose installed kernel package is older than the per-distro fix version listed in its tracker. Because this is a kernel CVE, the package name varies by distro (linux-image-* on Debian/Ubuntu, kernel on RHEL-family), but Noxen's distro-aware matcher normalises both to the same CVE record.

Hosts that have the fix installed but haven't rebooted are flagged separately as "kernel updated but not yet running" so a reboot is queued explicitly rather than implicitly assumed after a package upgrade.

Authoritative sources

NVD entry for CVE-2026-31431
cve.org record
FIRST EPSS API for CVE-2026-31431
CISA KEV catalogue (not listed at time of writing)
Stable kernel branch backport commits (from NVD references):

Related on Noxen

Ubuntu 24.04 CVE tracker — including this CVE and other recent kernel issues
How to triage CVE findings — when AV:L Highs warrant immediate action vs scheduled cycle
The patching gap — kernel updates are the easy half; third-party services are the hard half

See what Noxen does about CVEs like this → More on CVE management →

CVE-2026-31431 — Linux kernel algif_aead in-place revert