CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
Honestly, if an attacker has shell access you’re toast regardless. I know you shouldn’t be able to escalate privileges, but better to never let them on the machine.
Most security in industry only holds because employees have no interest in attacking, or knowledge how to attack, their employer.
Note that this is a rather narrow view of the scope of things.
Yes, the demonstrator is a python script that opens up ‘su’ and uses splice+this vulnerability to change it to ‘just assume all privileges and become sh’.
However, it’s that any process in any namespace can leverage a certain socket type and splice to effectively modify any filesystem content they want. It’s easy to see how this could be part of a chained attack to, for example, replace a protected service that is firewalled off with a shell. An RCE in a service permits rewriting nginx in an entirely different container and replaces it with a shell backend of your choosing.
That ‘flatpak’ application on your single user system that is guarded from touching your files that aren’t related? That isolation doesn’t mean anything if this issue is in play.
In terms of shared systems, while it should be avoided if possible, practically speaking there’s a lot of shared resources.
I don’t get why I’ve seen so many people saying “ehh, no big deal, privilege escalation is just a fact of life”.
Honestly, thats a really bad take. Yes obviously, you should not let attackers access the terminal, but there are linux servers that rely on multiuser operations, like Servers that are meant for terminal access, like HPC.
Then services get hosted via container these days, so even with rootless containers you get root access if you only get RCE on one service. And even if there are additional VMs for more isolation between host, you still get root on the whole VM.
I work for a critical, global communications infrastructure company, and it’s painfully obvious that the moment someone has a foothold they could do whatever they want with some minor skill lol.
Honestly, if an attacker has shell access you’re toast regardless. I know you shouldn’t be able to escalate privileges, but better to never let them on the machine.
Most security in industry only holds because employees have no interest in attacking, or knowledge how to attack, their employer.
Note that this is a rather narrow view of the scope of things.
Yes, the demonstrator is a python script that opens up ‘su’ and uses splice+this vulnerability to change it to ‘just assume all privileges and become sh’.
However, it’s that any process in any namespace can leverage a certain socket type and splice to effectively modify any filesystem content they want. It’s easy to see how this could be part of a chained attack to, for example, replace a protected service that is firewalled off with a shell. An RCE in a service permits rewriting nginx in an entirely different container and replaces it with a shell backend of your choosing.
That ‘flatpak’ application on your single user system that is guarded from touching your files that aren’t related? That isolation doesn’t mean anything if this issue is in play.
In terms of shared systems, while it should be avoided if possible, practically speaking there’s a lot of shared resources.
I don’t get why I’ve seen so many people saying “ehh, no big deal, privilege escalation is just a fact of life”.
Honestly, thats a really bad take. Yes obviously, you should not let attackers access the terminal, but there are linux servers that rely on multiuser operations, like Servers that are meant for terminal access, like HPC.
Then services get hosted via container these days, so even with rootless containers you get root access if you only get RCE on one service. And even if there are additional VMs for more isolation between host, you still get root on the whole VM.
I work for a critical, global communications infrastructure company, and it’s painfully obvious that the moment someone has a foothold they could do whatever they want with some minor skill lol.