CVE-2026-31431 — Linux Kernel

Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability

Added to KEV

2026-05-01

Federal due date

2026-05-15

Vendor

Linux

Product

Kernel

EPSS

84.7th percentile (score 0.022, as of 2026-06-08)

NVD CVSS v3.1

7.8 (HIGH)

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2026-31431

CISA short description

Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.

Required action

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

NVD description

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.