Security Bulletin
Summary
IBM Storage Scale Systems is affected by a security vulnerability identified in the Linux kernel's cryptographic interface (CVE-2026-31431) that could allow a local user with low privileges to escalate to root privileges. The vulnerability has a CVSS score of 7.8 (High) and requires local system access to exploit on RHEL 8 and 9.
Vulnerability Details
CVEID: CVE-2026-31431
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.
There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy the
AD directly.
CWE: CWE-669: Incorrect Resource Transfer Between Spheres
CVSS Source: Linux
CVSS Base score: 7.8
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) (RHEL8 and RHEL9 platforms only) |
| IBM Storage Scale System | 6.1.0.0 - 6.1.9.8 |
| IBM Storage Scale System | 6.2.0.0 - 6.2.3.5 |
| IBM Storage Scale System | 7.0.0.0 - 7.0.0.2 |
Remediation/Fixes
See workarounds and mitigations.
Workarounds and Mitigations
A local privilege escalation vulnerability exists in the Linux kernel's cryptographic interface, specifically in the algif_aeadinterface. The vulnerability involves an incorrect in-place operation where source and destination data mappings differ, which could lead to data integrity issues and enable escalation to root privileges.
Temporary Mitigation:
As root user, blacklist the affected kernel interface by invoking the following command to add initcall_blacklist=algif_aead_init to /etc/default/grub on all Storage Scale System nodes and then reboot all nodes:
Perform one one node at a time while maintaining quorum
# Blacklist algif_aead module
mmgetstate -s
mmshutdown (ensure quorum is maintained prior to shutting down Scale)
mmchconfig autoload=no
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot
# Complete bringing the node back online
mmbuildgpl (to rebuild the portability layer)
mmstartup
mmgetstate
mmchconfig autoload=yes (if desired)
After applying the mitigation on all nodes, validate that the mitigation was applied on all nodes and initcall_blacklist=algif_aead_init is present:
# Validate the mitigation was applied
cat /proc/cmdline
# example output
BOOT_IMAGE=vmlinux-5.14.0-427.13.1.el9_4.x86_65 ... initcall_blacklist=algif_aead_init
Permanent Resolution:
Apply Storage Scale System update that includes vendor-provided kernel updates when available:
- Sign up for My IBM Notifications to be notified when a Security Bulletin is published with the formal fix in Storage Scale System
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
12 May 2026: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 May 2026
Initial Publish date:
12 May 2026
UID
ibm17272714