Critical Linux Kernel Vulnerability Discovered by AI: CVE-2026-31431 Explained

Tech732 bytes of Python just borked every Linux machine on earth…

Key Takeaways

1A 732-byte Python script exploits CVE-2026-31431, a critical privilege escalation vulnerability affecting virtually all Linux distributions with kernel code from 2017 onward
2The vulnerability was discovered by an AI scanning tool in just one hour and allows unprivileged local users to write uncontrolled bytes into the page cache and gain root access
3The exploit targets the AF_ALG interface's ONC ESN (authentication encryption with extended sequence numbers) feature, exploiting a bug in the AFG splice function
4While not remotely exploitable, the vulnerability requires immediate patching across all Linux systems; attackers are already using it in the wild
5The discovery highlights the dual-edged nature of AI coding agents: they can identify critical security flaws but also demonstrate how easily automated tools can compromise systems at scale

Chapters

1. The Vulnerability Overview

A critical Linux kernel vulnerability (CVE-2026-31431) was discovered by an AI agent and affects every major Linux distribution. The exploit consists of just 732 bytes of Python code and allows privilege escalation to root access.

2. Discovery and Confirmation

An AI-powered security tool discovered the vulnerability in approximately one hour of scanning. It traced the flaw to commits from 2015-2017, was confirmed by the Linux kernel team, and was released publicly with proof-of-concept code and a dedicated website.

3. Technical Details of the Exploit

The exploit leverages the AF_ALG interface's ONC ESN feature through a bug in the AFG splice function. It tricks the kernel into writing four uncontrolled bytes of scratch data into the page cache of read-only files like the su binary, enabling root privilege escalation.

4. Scope and Impact

Every Linux distribution (Debian, Arch, Red Hat, Ubuntu, Amazon Linux) released since 2017 is affected. Attackers confirmed to be using the exploit in the wild; CISA added it to the known exploited vulnerabilities list.

5. Exploitation Requirements and Mitigation

The exploit is not remotely executable and requires either local user access or prior system compromise via SSH or other vectors. Immediate patching is critical, though desktop Linux systems are lower-risk than servers.

6. AI's Role in Security: Opportunities and Risks

The discovery demonstrates AI agents can identify deep kernel vulnerabilities quickly but also highlights the risk of automated exploitation at scale. Quality code and secure development practices are now more critical than ever.

Glossary

CVE-2026-31431: A critical privilege escalation vulnerability in the Linux kernel affecting all major distributions from 2017 onward
AF_ALG Interface: A Linux kernel interface that exposes cryptographic algorithms to user space applications
ONC ESN: Authentication encryption with extended sequence numbers; a cryptographic feature targeted by the exploit
Page Cache: A kernel memory structure that stores copies of file data; the target where uncontrolled bytes are written in the exploit
Privilege Escalation: An attack technique that allows an unprivileged user to gain higher-level (root) access to a system
AFG Splice Function: A kernel function containing the logic flaw that allows page cache references of read-only files to be accessed improperly
CISA KEV List: The Cybersecurity and Infrastructure Security Agency's catalog of known exploited vulnerabilities actively used in attacks

Explore