On April 29th 2026 a high severity local privilege escalation vulnerability was publicly disclosed for multiple Linux distributions.
This vulnerability is caused by a bug in the authencesn template of the AF_ALG kernal crypto API. The bug enables the overwrite of the page cache version of the su binary, which can provide an unprivileged local user with direct access to root on the target system. A full technical writeup can be found by the original research team here.
Exploitability
The proof of concept exploit code is fully viable to perform a local privilege escalation attack for x86 based systems. The Python script includes an obfuscated instruction-set that can easily be adjusted to target other architectures – there are some available online at the time of writing.
A key concern is the breakout of container systems like with Kubernetes. There is limited information available at this point, but it is believed that exploitation of a container could result in the compromise of the host system.
Mitigation
Check if the AEAD module is loadable:
grep CONFIG_CRYPTO_USER_API /boot/config-$(uname -r)Disable the algif_aead module, which shouldn’t impact operations as key functionality calls the userspace libraries or kernel directly.
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || trueRebooting an exploited system will revert the su binary from disk to the page cache, but this will not resolve any initial or persistent access that an attacker may have to your systems.
Patching and Updates
All major distributions that use the affected kernel appear to have released patches for this vulnerability. The ones that we’re aware of are listed below:
- Ubuntu
- Debian
- SUSE
- Fedora
- RHEL
- Amazon Linux