Cover Letter Detail
Show a cover letter.
GET /api/covers/2231511/?format=api
{ "id": 2231511, "url": "http://patchwork.ozlabs.org/api/covers/2231511/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177757626672.818044.11792928639290212185@tuxedo-infinitybook.public/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<177757626672.818044.11792928639290212185@tuxedo-infinitybook.public>", "list_archive_url": null, "date": "2026-04-30T19:28:03", "name": "[SRU,Q/N/J,v2,0/3] CVE-2026-31431", "submitter": { "id": 89057, "url": "http://patchwork.ozlabs.org/api/people/89057/?format=api", "name": "Massimiliano Pellizzer", "email": "massimiliano.pellizzer@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177757626672.818044.11792928639290212185@tuxedo-infinitybook.public/mbox/", "series": [ { "id": 502366, "url": "http://patchwork.ozlabs.org/api/series/502366/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502366", "date": "2026-04-30T19:28:03", "name": "CVE-2026-31431", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/502366/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2231511/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=cHUkYXF5;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g64424Q4yz1yJr\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 05:29:22 +1000 (AEST)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIX4X-0001dp-0l; Thu, 30 Apr 2026 19:29:17 +0000", "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wIX4W-0001da-59\n for kernel-team@lists.ubuntu.com; Thu, 30 Apr 2026 19:29:16 +0000", "from mail-wm1-f71.google.com (mail-wm1-f71.google.com\n [209.85.128.71])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0F2103FE9F\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 19:29:16 +0000 (UTC)", "by mail-wm1-f71.google.com with SMTP id\n 5b1f17b1804b1-488d3eec9bcso8671045e9.3\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 12:29:16 -0700 (PDT)", "from tuxedo-infinitybook (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-448e74324a5sm8133217f8f.12.2026.04.30.12.29.14\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 12:29:14 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777577356;\n bh=c9xsfBiHv4+ZyTLEPG6fHPmERxvIoLPCJCUFg3b2W2s=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=cHUkYXF5TGZ17xvJ9CxleX/Mfs0wg5ZsTZ78diCnxTrTXEGVnCU1MOCUi0kp4kobw\n zObNibk/EN4nmo7WCtnTjqXXDu/5+U70ILGBsNrUzO7OdKPtPH01TzwU8iBLCNmNJf\n mZg93vVPHqfgLuAKreHq2LwDr6u0tn0S+PCIzbXSVr28JDtFFjV7hLRGHb3G992TZk\n TEXXXOc6G43b42ioBIGio/EeA5azIR/8ZUItx0sxnoz6ODbJl0adbIGv/0rKMnHrAx\n +oZIisa1tGlmDmOplZLsega61ifdk11X5m5ZzdX2Ty8xONyQGnhRYzuImgGkSsAyiJ\n nBYzIPyDKCjT28J7N3tqNzm/TtaM1Sg4M7KUkW8I+r7hk7cd9XWll678AkTgop54gJ\n wdYLDVayyWLhWj/wBn2uPmJWRVgX64m2tK2QLrWSFBEK9ZReUWuV6kpC689xJCQHff\n oKj2nPmxTW6sH0TkFvBiNECjFTA0kDJrWQyziEJe+cwIEnyDkBkJgP647JefcQJuZq\n Q8vUTlmkFMFM79+O0L8KZFiHSMul9+nZF/Vdhgj/Q9+82leREARXCX6T19cxueabnw\n Eqh8Xlxx3ydnQ7mESCDe2GA1EGIoyNBnEuysEQsgc8YI4/+fDi7NqE40q11sBtu5DV\n MUBel4AMgq2UCt8dBnd1TQbc=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777577355; x=1778182155;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=c9xsfBiHv4+ZyTLEPG6fHPmERxvIoLPCJCUFg3b2W2s=;\n b=chrTX0+kgRc4z+xGGmB1WtcxBMtuWoi6kr6OTBdmIzM/b4njHkjfbstqcgTFElguio\n UODL62OuhcuLIe35vEh4h0TFST25rP0cwPlRaIeDu+r6o1iHtSLNIMXdYgNWLSJEtDos\n TCtDSpXZXmKnyVYhCVhua4MBW7uslaxklJYyGptsS4NY56sw3mkttbMzhpxwT7A0B1u8\n o37MnFpL1XbtLfwxAyM5rnoOQP7xTeQPEPcinAOoxWH5iHkAFlTHKW+mP+vf443ZiBfd\n oLzIB1qorG0px0ee1/jCVl2u0YU8nA5G1joyY6UeCU5wZVZerBWhlgjZhNBRptvVwRfe\n DE8Q==", "X-Gm-Message-State": "AOJu0YxE8W7GREf1QcWVkKAPWVBImDVfJ8W9M/gGN0WNlTSR4UZ/bvzj\n fRCXEXsV/gdKZYQ6kZynD/VduYVLQXDPvpZsuwxJXkL767Kqbgddk6V2CWK7/GT8x2CNNYGGXrw\n WkIptfXuzFnxb6S91ncSvMhOrvYQev2r+eWbNqVG/safDRF1+mT0Nuom7+DPRcFOqlHdw6h4k7r\n jA7X1/HA4V7JPAQw==", "X-Gm-Gg": "AeBDievM1pHDMvzY6nNT5ZcvTsW1bAxahf0YG71JvjmDPVQM0rJ/gpZAbgGI7Qr6ZR4\n D/Xob09E17vEfcMVTUmSMsS8D5GYkz6oHuyqhRsj6zGy6Dx99vsQPWixxfNIygOlzwZZQdQI0Rt\n BFkl1GmK6trtLTXMSS6PdBNVOXUh2Ul7YkxVYIAK2HRtpan/o4evx8JodLSbA6u501ayawf72Ap\n iPDUJMu++wvExptQP15apQZM+iWCyou29c+M8T/NLtKXHpYmCEthY0c3L7V0V3hXV21gu+nR69W\n CNE0vKE75Qyn96V2kx6+LtwEBXum/zRvKLwox6NWcrup7/FNvIee7Ex91VdZmnfT5UWTsimYAMA\n OJ9BG0AcUighJd3k/oXJ3FJ9wntEGQ1ZVEe72ypGlDNam3+nb0lw1L330Gp6BBYMwD810oqcTf7\n o7cEk/CCkLQLYix+0xEvzzTHKcHpcm2bI6UlkDsLN9jg2k/NPUL6D9PZMwPeMn6fjS1Lyr9CW4J\n yGL1ZzriB4VkQ==", "X-Received": [ "by 2002:a05:600c:820c:b0:48a:52ee:5776 with SMTP id\n 5b1f17b1804b1-48a8eb7c453mr1889425e9.11.1777577355329;\n Thu, 30 Apr 2026 12:29:15 -0700 (PDT)", "by 2002:a05:600c:820c:b0:48a:52ee:5776 with SMTP id\n 5b1f17b1804b1-48a8eb7c453mr1888965e9.11.1777577354641;\n Thu, 30 Apr 2026 12:29:14 -0700 (PDT)" ], "From": "Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][Q/N/J][PATCH v2 0/3] CVE-2026-31431", "Date": "Thu, 30 Apr 2026 21:28:03 +0200", "Message-ID": "\n <177757626672.818044.11792928639290212185@tuxedo-infinitybook.public>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "https://ubuntu.com/security/CVE-2026-31431\n\n[ Impact ]\n\nCVE-2026-31431 is a local privilege escalation vulnerability\nin the Linux kernel's AF_ALG (Algorithm) socket subsystem.\n\nThe vulnerability allows an unprivileged local user to perform a deterministic,\ncontrolled 4-byte write into the kernel page cache of any file that the attacker\ncan read, including setuid-root binaries such as /usr/bin/su.\nBecause the page cache is what the kernel consults when executing a file,\nthe corrupted in-memory copy is immediately visible system-wide without the on-disk\nchecksum being altered.\n\n[ Fix ]\n\n* Questing, cherry pick the following patches from upstream:\n - a664bf3d603d crypto: algif_aead - Revert to operating out-of-place\n - 5aa58c3a572b crypto: algif_aead - snapshot IV for async AEAD requests\n - e02494114ebf crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n - 1f48ad3b19a9 crypto: authencesn - Fix src offset when decrypting in-place\n - 31d00156e50e crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n - 3d14bd48e3a7 crypto: algif_aead - Fix minimum RX size check for decryption\n\n* Noble, cherry pick the following patches from linux-6.12.y:\n - 41c3aa511e6e crypto: scatterwalk - Backport memcpy_sglist()\n - 183137264401 crypto: algif_aead - use memcpy_sglist() instead of null skcipher\n - 8b88d99341f1 crypto: algif_aead - Revert to operating out-of-place\n - 46fdb39e8322 crypto: algif_aead - snapshot IV for async AEAD requests\n - 7bc058a9b82b crypto: authenc - use memcpy_sglist() instead of null skcipher\n - 89fe118b6470 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n - 129f12934401 crypto: authencesn - Fix src offset when decrypting in-place\n - c8369a6d62f5 crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n - af2fa2fbbced crypto: algif_aead - Fix minimum RX size check for decryption\n\n* Jammy, cherry pick the following patches from linux-5.15.y:\n - 36435a56cd6b crypto: scatterwalk - Backport memcpy_sglist()\n - 17774d99bb43 crypto: algif_aead - use memcpy_sglist() instead of null skcipher\n - 19d43105a97b crypto: algif_aead - Revert to operating out-of-place\n - a920cabdb0b7 crypto: algif_aead - snapshot IV for async AEAD requests\n - e416c41a96c8 crypto: authenc - use memcpy_sglist() instead of null skcipher\n - d589abd8b019 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n - 723bb1b4a6dd crypto: authencesn - Fix src offset when decrypting in-place\n - 2b781d1d4f93 crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n - fd427dd84f22 crypto: algif_aead - Fix minimum RX size check for decryption\n\n\n[ Test Plan ]\n\nCompiled and boot tested.\nTested using the publicly available exploit.\nTested using LTP crypto testsuite for regressions.\nTested using libkcapi test.sh for regressions.\n(https://github.com/smuellerDD/libkcapi/tree/master)\n\n[ Where Problems Could Occur ]\n\nThe fix reverts the 2017 in-place optimization entirely, restoring out-of-place\noperation in algif_aead. A bug in the new out-of-place TX SGL allocation\nor AAD copy path could produce corrupt ciphertext, failed tag verification,\nor memory mismanagement under edge-case input lengths, affecting every consumer\nof the AF_ALG AEAD interface kernel-wide.\n\n[ Changes between v1 and v2 ]\n\nAdded 3d14bd48e3a7 (\"algif_aead - Fix minimum RX size check for decryption\")\nto both Noble and Questing.\n\nAdded libkcapi test.sh tests in test plan." }