Back

Critical Privilege Escalation Vulnerabilities in Ubuntu Kernel

Severity: High (Score: 72.9)

Sources: Linuxsecurity

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: ubuntu, security, linux, kernel, issue, affects, releases

Severity indicators: issue

Summary

Two critical vulnerabilities affecting Ubuntu 18.04 LTS and 20.04 LTS have been disclosed. The first, CVE-2026-31431, relates to improper handling of in-place cryptographic operations in the algif_aead module, allowing local attackers to escalate privileges. The second, CVE-2026-43284, involves a logic flaw in the Linux kernel's handling of shared page fragments during socket buffer operations, also enabling privilege escalation. Both vulnerabilities have been confirmed to affect multiple kernel versions, including those for Raspberry Pi and Azure systems. Users are advised to update their systems immediately to mitigate risks. The issues were reported on June 4, 2026, and patches are available through Ubuntu Pro. The vulnerabilities are currently under active exploitation, emphasizing the urgency of applying the updates. Key Points: • CVE-2026-31431 allows local privilege escalation via improper cryptographic operations. • CVE-2026-43284 involves a logic flaw in handling shared page fragments, also enabling privilege escalation. • Both vulnerabilities affect Ubuntu 18.04 LTS and 20.04 LTS, with patches available through Ubuntu Pro.

Detailed Analysis

**Impact** Ubuntu 14.04 LTS, 18.04 LTS, and 20.04 LTS releases and their derivatives are affected, including cloud-specific kernels for Microsoft Azure, Google Cloud Platform, and Oracle Cloud. The vulnerabilities allow local attackers to escalate privileges or escape containers, potentially compromising system integrity and sensitive data across enterprise, cloud, and IoT environments. The scope includes both on-premises and cloud deployments globally where these Ubuntu versions are in use. **Technical Details** Exploits target logic flaws in the Linux kernel’s handling of shared page fragments during socket buffer operations (Dirty Frag) and the algif_aead cryptographic module (Copy Fail). Affected subsystems include XFRM ESP-in-TCP and RxRPC networking. CVEs involved are CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500. Attackers require local access to escalate privileges or escape container boundaries. No specific malware or IOCs are provided. **Recommended Response** Apply the latest Ubuntu Pro kernel updates immediately for affected versions: 4.15.x for Ubuntu 14.04/18.04 and 5.4.x for Ubuntu 18.04/20.04, followed by a system reboot. Recompile and reinstall all third-party kernel modules due to ABI changes. Monitor for unusual local privilege escalations and container escapes. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • Ubuntu 18.04 LTS Linux Kernel Critical Privilege Escalation USN-8390 — Linuxsecurity · 2026-06-04
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 14.04 LTS Summary: The system could be made to run programs as an administrator. Software Description…
  • Ubuntu 20.04 8391 — Linuxsecurity · 2026-06-04
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - li…

Timeline

  • 2024-11-19 — CVE-2024-50304 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-02-13 — CVE-2026-23112 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-02-14 — CVE-2026-23209 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-22 — CVE-2026-31504 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-23 — CVE-2026-31533 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-01 — CVE-2026-31431 added to CISA KEV: CVE-2026-31431 was added to the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation.
  • 2026-05-01 — CVE-2026-43033 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — First public PoC for CVE-2026-31431: The first proof of concept for CVE-2026-31431 was published, demonstrating the vulnerability's exploitability.
  • 2026-05-06 — CVE-2026-43078 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-06 — CVE-2026-43077 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2024-50304
  • CVE-2026-23112
  • CVE-2026-23209
  • CVE-2026-31431
  • CVE-2026-31504
  • CVE-2026-31533
  • CVE-2026-43033
  • CVE-2026-43077
  • CVE-2026-43078
  • CVE-2026-43284
  • CVE-2026-43494
  • CVE-2026-43500

Related entities

  • Privilege Escalation (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • Google Cloud Platform (Company)
  • Microsoft Azure (Company)
  • Ubuntu (Company)
  • KVM (Platform)
  • Linux (Platform)
  • Linux kernel (Platform)
  • Oracle Cloud (Platform)
  • Copy Fail (Vulnerability)
  • Dirty Frag (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed