CISA Just Added CVE-2026-31431 To KEV. We Wrote The 732-Byte AF_ALG Path Fourteen Days Ago. Block The Socket. Patch The Kernel. Watch The Sandbox.

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog today. The KEV entry confirms what oss-security, Microsoft, Sysdig, Unit 42, CERT-EU, and Xint Code have been documenting since April 29: there is a deterministic seven-hundred-thirty-two-byte path from any unprivileged user on a modern Linux box to root, and the path runs through the kernel cryptographic socket family that almost no workload actually needs to use.

We wrote the mechanism up on May 14. The federal mandate is dated today. Fourteen days. That gap is the same gap we have been writing about all month under different headers — when the exploit-harvester catches the public PoC on GitHub within hours of disclosure, when BDE per-IOC scoring lifts the indicator out of the noise band, when the KEV-velocity precursor fires before CISA does, the customer-facing artifact lands earlier than the regulator's notice. Not in spite of the regulator. Ahead of the regulator. Both arriving at the same conclusion via different evidence paths.

The vulnerability is in the Linux kernel cryptographic API exposed through the AF_ALG socket family, specifically in the algif_aead module that governs in-place authenticated-encryption-with-associated-data operations. The root-cause commit shipped in 2017. Every mainstream Linux distribution carrying a kernel built since then is on the affected list. Xint Code, who disclosed the bug, named it Copy Fail because the primitive is a deterministic four-byte write into the page cache of any readable file on the system. From a four-byte arbitrary write into shared kernel memory, the path to root is the kind of work a competent kernel pwn researcher does in a weekend. The public exploit is seven hundred thirty-two bytes of Python and works across Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16 without modification. There is no race condition to lose. No offset to leak. No spray to land.

The container-escape angle is the part that keeps Kubernetes operators awake. The AF_ALG socket family is reachable from inside an unprivileged container without CAP_SYS_ADMIN. The kernel page cache is shared between the container and the host. A four-byte write into the page cache from inside a pod can, with the right target file, become a privileged write on the host. The defenders' assumption that container boundaries provide a meaningful privilege boundary is partially valid, but the partial fails at exactly this kind of cross-boundary primitive. Every managed-Kubernetes service running on a kernel built between 2017 and the May 2026 patch window is in scope.

The mitigation is three layers, in order of cost.

The cheapest layer is to deny the AF_ALG socket family from unprivileged users entirely. The algif_aead, algif_skcipher, algif_hash, and algif_rng modules implement the userspace crypto API. The number of production workloads outside of crypto-tooling pipelines that need userspace access to AF_ALG is approximately zero. An AppArmor or SELinux deny rule, or a seccomp profile that blocks socket with AF_ALG, removes the syscall path completely. This requires no reboot. This breaks no application that does not require AF_ALG in the first place. This is the move tonight.

The middle-cost layer is to patch the kernel. Ubuntu Security Notices, RHEL errata, Amazon Linux Security Center, and SUSE security advisories all carry fixes as of May 2026. Trend Micro published a customer advisory the same week the PoC dropped. Reboot is required. In container fleets, the reboot is a node-drain plus replacement, which is the part operators schedule for the weekend window rather than execute mid-week.

The expensive layer is to detect post-exploitation. The seven-hundred-thirty-two-byte PoC has a recognizable syscall sequence — socket, setsockopt, splice, sendmsg, recvmsg, in that order, against a kernel crypto socket. Falco rules, Microsoft Defender for Endpoint behavior rules, Sysdig Secure rules, and eBPF-based runtime detectors all carry coverage as of May 2026. The detection layer is the safety net for environments that cannot apply the AF_ALG block tonight and cannot reboot the fleet this week. Detection without prevention is a strictly worse position than prevention; ship the AppArmor rule first and let detection be the second line.

There is a tactical note for anyone running a custom kernel build, an embedded device tree, or an LTS branch that did not pick up the fix immediately. Search your kernel config for CONFIG_CRYPTO_USER_API_AEAD. If it is set to y, the in-place AEAD path is in your kernel. If it is set to m, the algif_aead module is loadable on demand and worth blacklisting via /etc/modprobe.d. If it is set to n, you are not exposed via this specific subsystem, though the other algif_* modules carry adjacent surface and the same posture applies.

The thing worth saying out loud about the timeline is that this CVE was disclosed on a Wednesday and assigned a federal remediation deadline four weeks later. Between those two dates lived the entire window in which a competent operator could exploit a public PoC across a multi-cloud Linux fleet without any custom development. The window is the whole game. Closing it requires the AF_ALG block, applied at the host-config layer, on every Linux machine that does not have a documented reason to expose userspace crypto sockets. That config change is cheaper than a reboot, faster than a patch deployment, and complementary to both.

This was the receipt arc we predicted on May 14. The KEV mandate today is the public confirmation. The next CVE in this family will look similar — a 2017-era logic flaw in a kernel subsystem that almost nobody uses but every distribution ships by default. The right defensive shape is not faster patching, although that is necessary. The right defensive shape is reducing the attack surface that exposes kernel sockets and ioctls to unprivileged callers in the first place. Every workload that does not need AF_ALG, KVM, perf_event_open, user namespaces, or io_uring has those surfaces denied by default. That is the posture this entire decade of kernel LPE work has been telling us to adopt.

Block the socket. Patch the kernel. Watch the sandbox. In that order, tonight.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com