openEuler Kernel Patches High-Severity Buffer Overflow in Linux AF_ALG Crypto Interface, CVE-2026-31677 Flagged

The openEuler kernel project has merged a critical security fix addressing a buffer overflow vulnerability in the Linux kernel's AF_ALG cryptographic interface. The patch, committed on April 29, 2026, resolves CVE-2026-31677 and targets a flaw in how the receive scatter-gather (RX SG) list extraction was handled without proper limitation by the receive buffer budget.

The vulnerability originated in the kernel's AF_ALG subsystem, which provides userspace applications with access to kernel crypto algorithms. According to the merged merge request !22006, the issue allowed RX SG list extraction to exceed safe bounds, creating conditions for a potential buffer overflow. The fix implements proper budget constraints on RX SG operations to prevent the overflow scenario. The patch was authored by devstation-robot, reviewed by lujialin2 and stavewu, and carries a High severity rating. The commit (d76a101) was tracked under the upstream issue reference atomgit.com/src-openeuler/kernel/issues/14424.

The flaw's presence in the AF_ALG interface raises concerns for any workloads relying on the Linux kernel's native crypto facilities for secure communications, encryption, or authentication. While the patch has been successfully merged with continuous integration passing and approval marks, systems running affected kernel versions remain exposed until the fix is deployed through standard update channels. The openEuler community's swift response through its automated CI pipeline signals active maintenance, but the underlying vulnerability pattern—improper bounds checking in kernel memory management—underscores persistent challenges in hardening the kernel's user-facing interfaces against malformed input.