CVE-2026-31431: Linux Kernel Flaw in algif_aead Module Under Active Exploitation Raises Container Escape Risk

A high-severity local privilege escalation vulnerability in the Linux kernel's `algif_aead` module has been flagged under active exploitation, prompting urgent inclusion in the CISA Known Exploited Vulnerabilities catalog. Tracked as CVE-2026-31431 with a CVSS score of 7.8, the flaw allows an unprivileged local user to escalate privileges to root by exploiting the cryptographic hardware AEAD subsystem. The public disclosure date of April 29, 2026, was followed by CISA KEV addition on May 1, 2026, with a mandatory remediation deadline set for May 15, 2026. A functional proof-of-concept is confirmed available via copy.fail and GitHub, significantly lowering the barrier for exploitation in the wild.

The vulnerability spans kernel versions 6.7 through 6.12.85, with confirmed applicability on Ubuntu 24.04 running kernel 6.8.0 — a common base image for cloud and containerized workloads. The `algif_aead` module, responsible for authenticated encryption with associated data operations in the kernel's cryptographic interface, is potentially loaded by default on affected VPS-SECURE deployments. While `unattended-upgrades` on Ubuntu 24.04 is configured to automatically pull kernel module mitigations within 24 hours, a full upstream kernel patch remains pending at the time of reporting.

The critical concern centers on Docker and container isolation contexts. In VPS environments where workloads run inside containers atop vulnerable kernels, successful privilege escalation to root inside the container could theoretically enable container escape, undermining the isolation boundary between tenant workloads and the host system. The combination of a confirmed public exploit, CISA KEV listing, and broad kernel version applicability creates a compounding risk profile. Organizations running affected kernel versions on cloud infrastructure, particularly multi-tenant environments, face heightened exposure and should prioritize kernel updates as the definitive remediation path once available.