Linux AF_ALG Socket Creation - Kernel Crypto API Exploit Indicator — Detection Rule

Detects creation of AF_ALG (Address Family 38) sockets via the socket() syscall. AF_ALG is the Linux kernel crypto API interface. It is exploited in CVE-2026-31431 to achieve local privilege escalation via a buffer overflow in the AF_ALG AEAD splice path that corrupts the page cache of SUID binaries. Legitimate AF_ALG usage is rare and confined to specific crypto utilities and VPN daemons using non-default kernel offload configurations.

Read the full analysis on IntelFusions