The KSOURCE default in kernel/Makefile (line 15) currently pins to linux-6.18.5.tar.xz, which predates the fix for CVE-2026-31431 (“Copy Fail”)—a local privilege escalation in algif_aead / authencesn disclosed by Theori (reporter: Taeyang Lee) on 2026-04-29.
The upstream fix—commit [a664bf3d603d](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d) (“crypto: algif_aead - Revert to operating out-of-place”)—was authored on 2026-03-31 and merged into Linus’s tree on 2026-04-01. It has since been backported to stable releases 6.18.22 and 6.19.12, alongside the companion patch (“crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption”). The latter addresses the AEAD template leveraged by the vulnerability to achieve a controllable 4-byte write into the page cache.
A public 732-byte Python PoC demonstrates reliable exploitation across multiple distributions (including Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16), suggesting that any VM kernel built from this Makefile at the current default is likely vulnerable to guest-local privilege escalation.
Suggested update:
- KSOURCE ?= https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.5.tar.xz
+ KSOURCE ?= https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.26.tar.xz
Version 6.18.26 is the latest in the 6.18.x series at the time of writing; any release ≥6.18.22 (or ≥6.19.12) includes the necessary backports.
Happy to open a PR if that’s helpful—thanks for considering the update.
References
The
KSOURCEdefault inkernel/Makefile(line 15) currently pins tolinux-6.18.5.tar.xz, which predates the fix for CVE-2026-31431 (“Copy Fail”)—a local privilege escalation inalgif_aead/authencesndisclosed by Theori (reporter: Taeyang Lee) on 2026-04-29.The upstream fix—commit
[a664bf3d603d](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)(“crypto: algif_aead - Revert to operating out-of-place”)—was authored on 2026-03-31 and merged into Linus’s tree on 2026-04-01. It has since been backported to stable releases 6.18.22 and 6.19.12, alongside the companion patch (“crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption”). The latter addresses the AEAD template leveraged by the vulnerability to achieve a controllable 4-byte write into the page cache.A public 732-byte Python PoC demonstrates reliable exploitation across multiple distributions (including Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16), suggesting that any VM kernel built from this Makefile at the current default is likely vulnerable to guest-local privilege escalation.
Suggested update:
Version 6.18.26 is the latest in the 6.18.x series at the time of writing; any release ≥6.18.22 (or ≥6.19.12) includes the necessary backports.
Happy to open a PR if that’s helpful—thanks for considering the update.
References
ChangeLog-6.18.22,ChangeLog-6.19.12)