It seems there was some kind of confusion during the disclosure process, because the vendors aren't treating this vulnerability as serious and it remains unpatched in many distros.

https://access.redhat.com/security/cve/cve-2026-31431 "Moderate severity", "Fix deferred"

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

https://www.suse.com/security/cve/CVE-2026-31431.html

▲

MarleTangible 2 hours ago | parent | next [-]

Seems like distros consider it a medium risk because it doesn't involve remote code execution and requires local access. Though it allows local root privilege escalation which is considered high priority.

https://ubuntu.com/security/cves/about#priority

> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.

▲

oskarkk 2 hours ago | parent | next [-]

Strange that it's not classified as "high", which specifically includes "local root privilege escalations".

> High: A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.

	▲	amarant 9 minutes ago \| parent [-]
		It is high now, someone at canonical is paying attention it seems

▲

daveoc64 10 minutes ago | parent | prev | next [-]

Ubuntu seems to have updated the page to say that it's a high priority now.

▲

mghackerlady 23 minutes ago | parent | prev | next [-]

it's not like this couldn't be chained with some other exploit to get remote access to get remote root access which seems like a bit of an issue

▲

2 hours ago | parent | prev | next [-]

[deleted]

▲

38 minutes ago | parent | prev [-]

[deleted]

▲

Tuna-Fish 2 hours ago | parent | prev [-]

Yeah, by ubuntu's own guidelines linked on that page, this should be priority: high, but instead it's marked as medium.