Announced last night...
TL/DR:
Quick mitigation on unpatched systems:
should disable the
algif_aeadmodule
via standard kernal module blacklisting.
...presuming you are not using that specific crypto algorithm, of course.
For those wondering on the mitigation steps.
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
Luckily it does require local access to the machine, not that its good, obviously this is a serious explot that you should mititgate, but that does make it a little bit easier to sleep at night.
Not directly, but, if they manage to get a script uploded and run as a local user, that could be a problem.
Not saying we should panic, per se. Just that the potential is there.
Which is why this has a CVSS score of 7.8 instead of 9+.
I run a lot of linux machines with this vuln but, as I have no users other than me, am basically safe.
The businesses running Ignition in containers for third parties are the ones who should be concerned here. (Because a designer pointed at such a gateway could compromise the entire set of containers.)
Found the script if anyone cares to see GitHub - rootsecdev/cve_2026_31431: Exploit POC for CVE_2026_31431 ยท GitHub
Hypothetically it seems like someone could use designer, access a remote linux gateway, create this python script on the gateway with a gateway message handler+system.file.writeFile, execute it, and now whatever user Ignition is running as has root privileges?
Per Copy.Fail
Seems like Ignition could be medium-high depending on your setup. You would still need a designer login but after that seems trivial for a knowledgable party?
