πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Security intermediate ⏱ 15 minutes K8s 1.28+

CVE-2026-31431 Linux Kernel Crypto Fix

Security advisory for CVE-2026-31431: Linux kernel crypto algif_aead vulnerability. Impact on Kubernetes nodes and how to patch container host kernels.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: CVE-2026-31431 is a Linux kernel vulnerability in the crypto: algif_aead subsystem. The in-place operation introduced in commit 72548b093ee3 is reverted to out-of-place mode, fixing a complexity-related bug. Patch your Kubernetes node kernels via OS updates.

The Problem

The algif_aead kernel module provides the AF_ALG interface for AEAD (Authenticated Encryption with Associated Data) ciphers. A previous commit added in-place operation, but since source and destination come from different memory mappings, in-place operation added unnecessary complexity with no benefit β€” and introduced a vulnerability.

This affects any Linux kernel used as a Kubernetes node OS (Ubuntu, RHEL, Flatcar, Talos, etc.) where the algif_aead module is loaded or available.

Who’s Affected

  • Any Kubernetes node running a vulnerable kernel version
  • Containers using AF_ALG sockets for AEAD encryption (uncommon but possible)
  • Nodes where algif_aead module is loaded (check with lsmod | grep algif)

The Solution

Check If Your Nodes Are Vulnerable

# Check kernel version on all nodes
kubectl get nodes -o custom-columns=\
'NAME:.metadata.name,KERNEL:.status.nodeInfo.kernelVersion,OS:.status.nodeInfo.osImage'

# Check if algif_aead module is loaded on a specific node
kubectl debug node/<node-name> -it --image=busybox -- \
  sh -c 'cat /proc/modules | grep algif'

Patch Strategy by OS

Ubuntu/Debian nodes:

sudo apt update && sudo apt upgrade -y linux-image-generic
sudo reboot

RHEL/Rocky/AlmaLinux nodes:

sudo dnf update kernel -y
sudo reboot

Flatcar Container Linux:

# Flatcar auto-updates; verify update channel
cat /etc/flatcar/update.conf
update_engine_client -update

Talos Linux:

# Update Talos to a version with the patched kernel
talosctl upgrade --nodes <node-ip> \
  --image ghcr.io/siderolabs/installer:v1.10.1

OpenShift (RHCOS):

# Apply machine config update or wait for auto-update
oc get machineconfigpool
oc get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'

Rolling Node Updates in Kubernetes

# Cordon, drain, update, uncordon β€” one node at a time
for NODE in $(kubectl get nodes -o name); do
  NODE_NAME=$(echo $NODE | cut -d/ -f2)
  echo "=== Updating $NODE_NAME ==="
  
  kubectl cordon $NODE_NAME
  kubectl drain $NODE_NAME --ignore-daemonsets --delete-emptydir-data --timeout=300s
  
  # SSH and update kernel (adjust for your OS)
  ssh $NODE_NAME 'sudo apt update && sudo apt upgrade -y linux-image-generic && sudo reboot'
  
  # Wait for node to come back
  kubectl wait --for=condition=Ready node/$NODE_NAME --timeout=600s
  kubectl uncordon $NODE_NAME
  
  echo "=== $NODE_NAME updated ==="
done

Mitigation (If Patching Isn’t Immediate)

# Blacklist the algif_aead module if not needed
kubectl debug node/<node-name> -it --image=busybox -- \
  sh -c 'echo "blacklist algif_aead" >> /host/etc/modprobe.d/blacklist-algif.conf'

# Or unload it if currently loaded
kubectl debug node/<node-name> -it --image=busybox -- \
  sh -c 'modprobe -r algif_aead 2>/dev/null'

Monitor with Trivy Operator

apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
  name: kernel-cve-check
spec:
  compliance:
    - id: cve-2026-31431
      title: "Linux kernel crypto algif_aead vulnerability"
      severity: MEDIUM

Common Issues

Node won’t drain

  • Cause: PodDisruptionBudget blocks eviction
  • Fix: Use --disable-eviction flag (last resort) or adjust PDB temporarily

Kernel update requires reboot but node is critical

  • Cause: Live patching doesn’t cover this fix
  • Fix: Schedule maintenance window; use rolling updates with PDB protection

Best Practices

  1. Automate kernel patching β€” use kured (Kubernetes Reboot Daemon) for automatic reboots after updates
  2. Monitor kernel CVEs β€” subscribe to oss-security mailing list and Red Hat errata
  3. Use minimal kernel modules β€” blacklist unused modules to reduce attack surface
  4. Rolling updates β€” never patch all nodes simultaneously
  5. Test in staging β€” verify kernel update doesn’t break GPU drivers or storage modules

Key Takeaways

  • CVE-2026-31431 affects the Linux kernel crypto: algif_aead subsystem
  • Fix reverts unnecessary in-place operation complexity
  • Patch node kernels via OS package manager and reboot
  • Use cordon/drain/uncordon for zero-downtime rolling kernel updates
  • Mitigate by blacklisting algif_aead module if not needed
  • Red Hat advisory: https://access.redhat.com/security/cve/cve-2026-31431
#security #cve #linux-kernel #node-security #patching
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

⚑
Ansible Quickstart

Automate cluster bootstrapping and node configuration with Ansible.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Security Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens