CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
While the POC requires su, the underlying flaw potentially works on any setuid binary on systems with AF_ALG enabled (provided there isn’t something else preventing it).
In android this would very likely be the “mount” command, as if it has a microsd card reader or the ability to use a USB data transfer I expect it’s using mount in order to do so.
I’m not as smart as the people who make alternative android options. I was just hoping it would help them jailbreak more of goggle’s bullshit so customers actually have a choice to go for an android OS which respects them and their privacy.
grapheneOS has already vented on social media that theu are not affected because of how they configured SELinux and that the headline is therefore not correct
SELinux breaks a lot of android root exploits, way back in the day even dirty cow didn’t work. It would get you “root” but not actually the full perms because of SELinux. Really good testament to the added security of MAC, it’s one of the reasons I run apparmor on my systems
So could this root any android device to make it possible to install homebrew on it?
There usually isn’t a
subinary installed on non-rooted Androids. If you’re rooting it yourself anyways, there’s no need to use the exploit.While the POC requires
su, the underlying flaw potentially works on any setuid binary on systems withAF_ALGenabled (provided there isn’t something else preventing it).In android this would very likely be the “mount” command, as if it has a microsd card reader or the ability to use a USB data transfer I expect it’s using mount in order to do so.
I’m not as smart as the people who make alternative android options. I was just hoping it would help them jailbreak more of goggle’s bullshit so customers actually have a choice to go for an android OS which respects them and their privacy.
grapheneOS has already vented on social media that theu are not affected because of how they configured SELinux and that the headline is therefore not correct
https://grapheneos.social/@GrapheneOS/116491317711428490
SELinux breaks a lot of android root exploits, way back in the day even dirty cow didn’t work. It would get you “root” but not actually the full perms because of SELinux. Really good testament to the added security of MAC, it’s one of the reasons I run apparmor on my systems
I’ll be happy if I never have to look at SELinux or fapolicy ever again. Especially fapolicy because the documentation is shit.
It’s the one thing I don’t miss about being a sysadmin.
Aww dang it
Well ok who tf cares I can literally just connect to adb over localhost with termux and do adb root
Apparently this exact PoC only works on x86. You’d need to find an ARM version
you’d only need to change the payload part, which is a compiled x86 ELF header.