732 Bytes of Python Just Borked Every Linux Machine on Earth…

The video exposes a critical Linux kernel vulnerability, CVE‑2026‑31431, uncovered by an AI‑driven scanning tool. A tiny 732‑byte Python script exploits a bug in the AF_AGL interface’s handling of ONC ESN data, allowing an unprivileged local user to write four uncontrolled bytes into a read‑only file’s page cache and ultimately gain root privileges.

The flaw affects every Linux distribution whose kernel code was updated after 2017, including Ubuntu, Red Hat, Amazon Linux and Arch. Because the exploit requires local access, it is not remotely exploitable, but once an attacker obtains a foothold—via SSH, malicious software, or a compromised account—they can elevate privileges instantly. The proof‑of‑concept was priced on the gray market between $10,000 and $7 million before being released publicly for free.

CrowdStrike has confirmed active exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) list. The discovery was prompted by an AI agent that scanned for splice‑related page‑cache anomalies, completing the search in roughly one hour.

Security teams must prioritize kernel updates across all Linux assets and reassess their threat models to account for AI‑generated exploits. The episode underscores the accelerating role of automated code analysis in weaponizing long‑standing bugs, demanding faster patch cycles and stronger isolation of privileged interfaces.