Earlier today, Microsoft informed that it has updated its vulnerable drivers blocklist with the newest Windows 11 updates. Sadly, a popular backup application from Macrium no longer works properly as a result; however, security is paramount in any OS.
Speaking of which, Microsoft has also cautioned on Linux about a new flaw there. A recently discovered Linux kernel vulnerability tracked under ID "CVE-2026-31431” (CVSS score 7.8) has raised alarms across the open-source community. About it, the Cybersecurity and Infrastructure Security Agency (CISA) writes: "This Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
The issue affects a wide range of major Linux distributions including Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon (AWS) Linux, and Microsoft notes this can put millions of devices at risk. Microsoft researchers have warned that the exploit enables local privilege escalation to root, a critical threat in containerized and multi-tenant work environments which are based on such distros.
Red Hat published its own advisory last month regarding the vulnerability. It explained: "A flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface. An incorrect 'in-place operation' was introduced, where the source and destination data mappings were different. This could lead to unexpected behavior or data integrity issues during cryptographic operations, potentially impacting the reliability of encrypted communications."
Microsoft has added to that, explaining that the vulnerability stems from a logic flaw in the kernel’s cryptographic subsystem, specifically the algif_aead module of AF_ALG, which was introduced back in 2017. An in-place optimisation at the time led to the kernel reusing the source memory as the destination during cryptographic operations. Attackers can exploit the interaction between the AF_ALG socket interface and the splice() system call to perform a controlled four-byte overwrite in the kernel’s page cache.
This attack, run as a Python script, allows modification of privileged binaries such as /usr/bin/su, enabling execution with root privileges. Unlike many kernel exploits, this one does not rely on race conditions and can be executed deterministically with a compact script of around 732 bytes. Because it works consistently across multiple distributions without modification, the exploit is being considered highly reliable.
This is also what makes it dangerous in cloud environments as containers can share the host kernel, meaning one vulnerable kernel version could potentially compromise an entire node. Attackers with even limited access, such as through SSH or compromised CI/CD jobs, could escalate privileges and break out of containers, leading to lateral movement and multi-tenant infection.
Thankfully active exploitation has so far been limited to proof-of-concept (PoC) demonstrations. Regardless, Microsoft has released detection signatures through Microsoft Defender XDR to help organizations identify exploitation attempts. Microsoft has urged security teams to patch affected kernels as soon as vendor updates become available. In the meantime, disabling the affected crypto feature or blocking AF_ALG socket creation can reduce exposure. Additionally, strict access controls, network isolation, and rapid node recycling after compromise indicators are also recommended.
15 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.