Kernel Rootkit Vulnerability CVE-2026-31431 Hits Ubuntu 24.04 LTS

Kernel rootkit vulnerability CVE-2026-31431 enables 4-byte arbitrary page-cache writes via the AF_ALG subsystem's algif_aead module. Rootsecdev researchers disclosed it on April 29, 2026, and released a proof-of-concept on GitHub.

The flaw dates to a 2017 kernel commit 72548b093ee3. Canonical confirmed impacts in Ubuntu Security Notice USN-7123-1 on May 1, 2026. Red Hat detailed it in advisory RHSA-2026:1234. It affects Ubuntu 24.04 LTS, Amazon Linux 2023, and RHEL 14.3. Gaming PCs and servers risk root access.

Triggers of CVE-2026-31431

Attackers create a 4 KiB sentinel file in /tmp. They send 8 bytes of AAD via sendmsg+cmsg and mark seqno_lo as PWND. The kernel splices 32 bytes into an AF_ALG socket using splice().

This triggers a 4-byte overwrite in page cache. Attackers target /etc/passwd UID at offset 4 for root access. Users run test_cve_2026_31431.py to check.

Exit code 0 indicates safety. Code 1 signals test failure. Code 2 confirms vulnerability; patch immediately.

AF_ALG Scratch Write Mechanics

AF_ALG handles crypto offloads. The algif_aead module performs in-place AEAD where src equals dst. Authenc(hmac(sha256),cbc(aes)) scratches 4 bytes on AAD seqno_lo (bytes 4-7).

Missing bounds checks enable adjacent corruption. Kernel.org documents AF_ALG at kernel.org. Custom kernels for Ryzen 9 9950X carry the flaw absent backports.

• Test Outcome: Not vulnerable · Exit Code: 0 · Meaning: Patched kernel
• Test Outcome: Test error · Exit Code: 1 · Meaning: Script issue
• Test Outcome: Vulnerable · Exit Code: 2 · Meaning: Patch kernel immediately

Affected Distros and Patches

Canonical tests show Ubuntu 24.04 LTS kernels vulnerable. Red Hat validation confirms exposure in Amazon Linux 2023 and RHEL 14.3. Post-2017 kernels need fixes.

Steam Deck on SteamOS and Pop_OS users test with the Python script. Red Hat hosts patches at access.redhat.com/security. Canonical integrates upstream fixes into linux-generic-hwe-24.04.

Gaming PC Security Risks

Linux gaming expands with Proton on RTX 5090 systems at 4K 240Hz. Valve's April 2026 Steam Hardware Survey reports 2.3% Linux users, up 0.5% year-over-year.

Rootkits steal keys, inject cheats, or mine crypto. 4-byte UID overwrites grant persistent root. 732-byte payloads evade scans in page cache. Phoronix benchmarks (May 2026) record 12% FPS drops in Counter-Strike 2 on Ryzen 9 7950X setups.

Rootkits impact frame rates more than Core Ultra 200HX thermal limits.

Performance Impact Benchmarks

Tom's Hardware tested the exploit on RTX 5090 and Ryzen 9 9950X. Clean kernels average 285 FPS in Cyberpunk 2077 at 1440p. Infected systems drop to 251 FPS, a 12% loss.

ProtonDB May 2026 data flags 28,000 games via kernel taint. Nobara Linux Vulkan drivers show matching overhead. Patched kernels recover performance.

Test and Patch Steps

Download test_cve_2026_31431.py. Execute `python3 test_cve_2026_31431.py`. Code 2 demands action.

Ubuntu users issue `apt update && apt upgrade linux-generic`. RHEL and Fedora run `dnf update kernel`. Amazon Linux uses `yum update kernel`. Reboot after.

Blacklist algif_aead if unused. Monitor via perf. Nobara backports require `uname -r` verification.

Implications for PC Hardware Builds

Ryzen 9 9950X with 128GB DDR5 loses protections. Dual-boot Vulkan gaming risks TPM 2.0 to rootkits.

Patches match Windows 11 24H2 security. Upstream kernel adds AF_ALG copy-on-write against post-quantum threats. Builders verify patches for 1440p 360Hz esports. Secure kernels safeguard USD 3,000+ investments.