A flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface. An incorrect 'in-place operation' was introduced, where the source and destination data mappings were different. This could lead to unexpected behavior or data integrity issues during cryptographic operations, potentially impacting the reliability of encrypted communications.

This local privilege escalation is rated as Important severity. Part of the Linux kernel's cryptographic interface contains an incorrect in-place operation, where source and destination data mappings differ. This could lead to data integrity issues, including the escalation to root privileges.

Affected Products

• RHEL/CentOS/Rocky Linux/AlmaLinux 8, 9, 10 (Fixed)
• openEuler 20.03 LTS and later versions (Fixed)

Mitigation (for RHEL/CentOS)

Warning: there may be performance impacts for modifying functionality that uses kernel cryptographic functions.

1. Run below command to append the option to grub:

# grubby --update-kernel=ALL --args='initcall_blacklist=algif_aead_init'

2. Restart the system:

# reboot

3. Verification: once rebooted, verify the parameter:

# cat /proc/cmdline | grep initcall_blacklist
BOOT_IMAGE=(hd0,gpt2)/vmlinuz<...> initcall_blacklist=algif_aead_init

Reverse Mitigation

Once the fixed kernel is available and installed to reverse the mitigation see steps below:

1. Run below command to remove the option to grub:

# grubby --update-kernel=ALL --remove-args='initcall_blacklist=algif_aead_init'

2. Restart the system:

# reboot

3. Verification: once rebooted, verify the parameter has been removed:

# cat /proc/cmdline | grep initcall_blacklist
<... no output ...>

References

https://access.redhat.com/security/cve/cve-2026-31431