Notice of Linux Kernel Privilege Escalation Vulnerability (CVE-2026-31431)
Recently, a local privilege escalation vulnerability CVE-2026-31431 Linux Copy Fail was disclosed on the Internet. The authencesn module of the Linux kernel's cryptographic subsystem has a logic bug. Attackers can exploit the kernel encryption API exposed by the AF_ALG socket and splice() system calls to write arbitrary 4-byte data to the in-memory page cache of a setuid binary file (such as /usr/bin/su). This can cause container escape and allows low-privilege users to achieve root privileges.
Description
| Type | CVE-ID | Severity | Discovered |
|---|---|---|---|
| Privilege escalation | Critical | 2026-04-22 |
Impact
This vulnerability is caused by the logic bug in the algif_aead module in the Linux kernel's cryptographic subsystem. As a result, low-privilege users can exploit this vulnerability to write arbitrary data to the kernel' in-memory page cache. For example, they can tamper with SUID binary programs (such as su and sudo) to gain root privileges. Since the page cache is shared between the host and containers, this vulnerability can lead to container escape.
To exploit this vulnerability, you must have the execute permission on the host or containers.
Identification Method
- Nodes that run CentOS 7.6, with a kernel version earlier than 3.15, are not affected by this vulnerability.
- If EulerOS 2.9, Huawei Cloud EulerOS 2.0 or EulerOS 2.10 is used, you can run the following command to check the kernel version:
uname -a

If the kernel version is 4.14 or later, the system is affected by this vulnerability.
Vulnerability Mitigation Solutions
- Solution 1: Disabling the Kernel Module For Huawei Cloud EulerOS 2.0, EulerOS 2.9, and EulerOS 2.10, the kernel module is built-in (statically compiled into the kernel). The procedure is as follows:
# Check whether the module is loaded. If the module has been loaded, unload it and then disable it. # 1) Check whether the module is loaded. If the following information is displayed, the module has been loaded: lsmod|grep authencesn # 2) Unload the module. modprobe -r authencesn # Disable the kernel module. echo "install authencesn /bin/false" >> /etc/modprobe.d/blacklist.conf
For Ubuntu 22.04, disable the algif_aead kernel module. The procedure is as follows:# Disable the kernel module. echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf # Unload the loaded module. rmmod algif_aead 2>/dev/null
- Solution 2: Disabling AF_ALG socket in the custom seccomp profile of the container workload. For details, see Restrict a Container's Syscalls with seccomp.
The following is an example of the seccomp configuration:
"syscalls":[{"names":["socket"],"action":"SCMP_ACT_ERRNO","args":[{"index":0,"value":38,"op":"SCMP_CMP_EQ"}]}]
Select a solution based on service requirements. CCE functions do not depend on the preceding kernel modules or seccomp configuration. Perform the operations in a test environment before implementing them.
Vulnerability Fixing Solution
For Huawei Cloud EulerOS 2.0, CCE and related teams will release new OS versions to fix the vulnerability. Please stay tuned for updates on OS Image Tag Release Notes.
EulerOS 2.9 and EulerOS 2.10 have reached EOS. Use Huawei Cloud EulerOS 2.0 instead.
Once an OS image with the vulnerability fixed is released, new clusters and nodes will have the vulnerability fixed by default. To fix the vulnerability on existing nodes, you can simply reset them. If the cluster version has reached EOS, you need to upgrade the version first.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.