Tiago has a great write-up of a Linux kernel exploit, CVE-2026-31431, that I think is one of the most beautiful pieces of security work I’ve read in a long time. It’s a 732-byte Python script that gives an unprivileged local user root access on basically every Linux distribution shipped since 2017.

What makes it special isn’t the size, it’s how it works. There’s no buffer overflow, no use-after-free, no memory corruption tricks. The bug is a logic flaw in the kernel’s AF_ALG crypto socket code. The reason this is so elegant is that all the standard kernel defences just don’t apply. Most of them are designed to stop memory corruption attacks. This isn’t one. It’s the kernel doing exactly what it was told to do, with side effects nobody noticed for almost a decade.

You don’t see exploits like this very often. Most kernel CVEs are race conditions or memory bugs, the kind that get harder to weaponise as defences improve. This one is just careful reading of the source and noticing that a clever optimisation in 2017 quietly opened a door that’s been there ever since. Patches dropped April 30, with seccomp or module blocklisting as a temporary mitigation. If you run Linux anywhere serious, patch.

Link to the article