732 bytes of Python just borked every Linux machine on earth…

TL;DR

A 732-byte Python exploit leverages a Linux kernel bug present since 2017 to grant any local user root access on virtually every Linux distro.

Key Points

• 1.CVE-2026-31431 is a 100% reliable local privilege escalation affecting every Linux distro updated since 2017. The flaw was silently introduced via commits in 2015 and 2017, confirmed by the Linux kernel team, and added to CISA's Known Exploited Vulnerabilities list with CrowdStrike reporting active exploitation in the wild.
• 2.The exploit abuses Linux's AF_ALG crypto interface to corrupt a readonly file's page cache. ONC ESN (auth encryption extended sequence numbers) mistakenly writes 4 uncontrolled scratch bytes into the page cache of a readonly file — such as the /etc/su binary — via a bug in the AF_ALG splice function, enabling root access.
• 3.An AI agent discovered and weaponized this vulnerability in roughly one hour. The company Theori fed its AI agent a targeted prompt about splice delivering page cache references to crypto TX scatter lists; the agent found the flaw, wrote the exploit, and published a proof-of-concept website — a bug valued at $10,000–$7 million on the gray market — for free.
• 4.The exploit is local-only, not remotely executable, but patching is still urgent. An attacker needs an existing foothold (e.g., via SSH or a compromised app) to run the 732-byte Python script; all major distros including Debian, Arch, Red Hat, Ubuntu, and Amazon Linux need immediate kernel updates.