Security researchers investigated CVE-2026-31431, a Linux kernel vulnerability that allows attackers to gain root privileges by corrupting the page cache of /usr/bin/su. The exploit overwrites this critical system utility with a malicious ELF binary that executes setuid(0) and spawns a root shell when called.

The vulnerability affects kernels prior to 6.19.12, making Fedora 43's 6.17.1 release particularly vulnerable. Researchers dissected the exploit's shellcode, revealing a compact payload that uses ELF golfing techniques to minimize size while maintaining functionality for privilege escalation.

Using rootless Podman configured with Sub-UID/Sub-GID allocations and pasta networking, the researchers demonstrated that container isolation effectively contained the exploit. The kernel rejected privilege escalation attempts, confirming that containerized environments provide critical security boundaries against such vulnerabilities.