A critical Linux kernel vulnerability (CVE-2026-31431) lets an unprivileged user gain root or break out of a container. Virtually every Linux distribution shipped since 2017 is affected, and a working exploit is public. Anyone running Linux servers should patch now, or at least apply the workaround.
The flaw sits in the kernel crypto API, specifically in the algif_aead module. The module exposes authenticated encryption via AF_ALG sockets: a userspace process opens such a socket, picks the authencesn AEAD mode and pushes data in through splice(). Somewhere in that chain a programming bug causes the kernel to write four bytes into the wrong place in the page cache. Those four bytes are enough to flip kernel state so an unprivileged process becomes root or a container breaks host isolation. No race condition, no guessing of kernel addresses, no exotic memory-layout setup: the exploit is a straight program path, which is what makes it fast and reliable. Disclosed on 2026-03-29 by Xint Code at copy.fail.
Confirmed tested are RHEL 10.1, Ubuntu 24.04 LTS, Amazon Linux 2023 and SUSE 16. Debian, Fedora, Rocky Linux, AlmaLinux, Arch and Oracle Linux behave identically according to the researchers. We additionally reproduced the exploit on Rocky Linux 9 and 10: privilege escalation and container escape work as described.
Quick check on a Linux host:
$ lsmod | grep algif_aead
$ sudo lsof 2>/dev/null | grep AF_ALG
$ ss -xa | grep -i algIf any of these returns output, the module is currently active. Note: algif_aead is also loaded on demand as soon as a userspace process opens AF_ALG. An empty lsmod output is therefore not an all-clear. When in doubt, set the block.
As long as the distribution has not shipped a kernel patch yet:
$ echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
$ sudo rmmod algif_aead 2>/dev/null || trueValidation:
$ lsmod | grep algif_aead # empty
$ sudo modprobe -v algif_aead # prints "install /bin/false" and an errorOn most systems blocking the module is harmless. dm-crypt/LUKS, kTLS, IPsec, OpenSSL/GnuTLS/NSS in standard builds, SSH and the kernel keyring crypto do not use AF_ALG (details on copy.fail). Only userspace that explicitly relies on AF_ALG (for example OpenSSL with the afalg engine, or custom crypto-offload paths) needs to be checked first.
The bug allows a container escape. Since kernel modules belong to the host and containers share the host kernel, the block has to go on the host. A container-only seccomp, SELinux or AppArmor policy is not enough. Once algif_aead is blocked on the host, it is blocked for every running container.
As soon as the kernel update is available:
# RHEL / Rocky / Alma / Fedora
$ sudo dnf check-update kernel
# Debian / Ubuntu
$ sudo apt update && apt list --upgradable | grep linux-imageApply the update, reboot, and afterwards remove the module block if desired:
$ sudo rm /etc/modprobe.d/disable-algif.conf
$ sudo systemctl rebootAs of 2026-04-30 the patches have not been shipped by every distributor yet. Keep an eye on the distro trackers and our own mirror servers.
You run Linux servers and aren't sure whether you're affected or how to apply the workaround cleanly? Get in touch.
