On April 29, 2026, Linux kernel vulnerability CVE-2026-31431 was disclosed that could allow a user already running code on a system to gain elevated access.
CVE-2026-31431 is a logic bug in the Linux kernel’s algif_aead crypto submodule - the part of the kernel that handles certain cryptographic operations. The bug lets an unprivileged user (one without admin rights) write a small amount of controlled data into kernel memory, which can then be leveraged to gain root access on that same machine. Exploitation requires that an attacker already has the ability to run code on the affected system. Its CVSS severity score is 7.8 out of 10 (High).
This vulnerability cannot be used to reach another customer’s data or CircleCI’s infrastructure and no additional actions are required for cloud-based customers.
Runners: patch your host machines
If you use CircleCI Runners, you’ll need to patch your host machines using your Linux distribution provider’s guidance. CircleCI does not distribute any images for Runners, so there are no updates to Runner binaries; only to host machines.
Please, follow your Linux distribution provider’s guidance.
Docker jobs: no action required
Docker jobs run on a shared Linux fleet where kernel-level isolation forms the security boundary between customers. The affected kernel component was blocked across our fleet on April 29. A permanent patch is on the way through our normal update process.
Machine executor jobs: no action required
Machine executor jobs already run with root access by design (see docs), so this vulnerability does not expose data or credentials beyond the access that your build already has. Each VM is yours alone for the duration of a job and destroyed when it ends, so this vulnerability cannot carry over between jobs or customers. Updated VM images will be available once AWS releases a patched kernel.
A note on vulnerability scanners
If you’re running a scanner inside a Machine executor job, it may flag the current kernel version as unpatched. That’s accurate and expected, and will clear once updated images are deployed. In the meantime, you can reference this post to document the exception in your security tooling.
Updates This advisory will be updated when the kernel patch from our Linux distribution provider and patched Machine executor images are deployed.