The Linux kernel has addressed a subtle but significant security vulnerability in the AF_ALG crypto subsystem, tracked as CVE-2026-31431. The flaw resides in the algif_aead interface, where an earlier attempt to optimize AEAD (Authenticated Encryption with Associated Data) operations by enabling in-place processing introduced a potential use-after-free condition. The fix reverts the code to safer out-of-place operations, prioritizing security over performance.

The Vulnerability: In-Place Optimization Gone Wrong

The algif_aead interface, part of the kernel's cryptographic API accessible via the AF_ALG socket family, allows user-space applications to perform authenticated encryption. In kernel 6.12, a change was made to allow AEAD operations to modify the input buffer in-place, rather than always copying data to a separate output buffer. This optimization aimed to reduce memory overhead and improve performance for applications that do not require the original plaintext after encryption.

However, this in-place behavior introduced a critical flaw. When user space submits an AEAD request with separate source and destination buffers (a scatter-gather list where source and destination are distinct), the kernel's crypto layer may still attempt to use the source buffer as the destination if the operation is marked as in-place. This can lead to a situation where the crypto operation writes authentication tags or encrypted data into a buffer that is no longer valid, or where the buffer's memory is freed before the operation completes.

The vulnerability is classified as a use-after-free (UAF) issue. An attacker with access to the AF_ALG socket could craft specific AEAD requests that trigger this condition, potentially leading to memory corruption, information disclosure, or privilege escalation. The CVSS score is 7.8 (High), reflecting the potential for local privilege escalation.

The Fix: Reverting to Out-of-Place Operations

The patch, authored by Herbert Xu and merged into the kernel tree, effectively undoes the in-place optimization for algif_aead. The key change is in the aead_sendmsg function, which now always allocates a separate output buffer and copies the source data if necessary, ensuring that the source buffer remains untouched and the destination buffer is properly managed.

Specifically, the patch modifies the logic that determines whether to use in-place or out-of-place processing. Previously, the code checked if the source and destination buffers overlapped and allowed in-place if they did. Now, it forces out-of-place unless the user explicitly requests in-place via a new flag. However, even with the flag, the kernel ensures that the buffers are properly separated and that no dangling references exist.

The commit message states: "Revert 'crypto: af_alg - Support in-place encryption for AEAD' due to potential use-after-free. The in-place optimization introduced a race condition where the output SGL could be freed while still in use by the crypto operation."

Impact on Users and Performance

For most users, this change will be transparent. The AF_ALG interface is primarily used by specialized cryptographic applications, such as dm-crypt, IPsec, or custom encryption tools. These applications typically use out-of-place operations anyway, as they need to preserve the original data for verification or other purposes.

However, applications that relied on the in-place optimization for performance may see a regression. The performance impact depends on the size of the data and the frequency of AEAD operations. In benchmarks, out-of-place operations can be up to 30% slower for small buffers due to the extra copy. For large buffers, the overhead is negligible.

Mitigation and Patching

Users should update their Linux kernel to a version containing the fix. The patch has been applied to the mainline kernel and is being backported to stable branches. Distributions such as Ubuntu, Debian, Red Hat, and SUSE are expected to release updated packages shortly.

For those who cannot immediately patch, a workaround is to avoid using the AF_ALG interface with AEAD algorithms, or to ensure that user-space applications always provide separate source and destination buffers. However, this is not a complete mitigation, as the vulnerability can be triggered even with separate buffers under certain conditions.

Conclusion

CVE-2026-31431 serves as a reminder that performance optimizations in security-critical code must be carefully scrutinized. The Linux kernel's crypto subsystem is a complex piece of software where even small changes can have far-reaching consequences. By reverting to the safer out-of-place approach, the kernel developers have chosen correctness over speed, a trade-off that is often necessary in security-sensitive contexts.

Users are advised to apply the patch as soon as it becomes available for their distribution. While the immediate risk is low for typical desktop users, systems running custom crypto applications or exposed to untrusted local users should prioritize this update.