Russian IT infrastructure provider Selectel has fixed a critical Linux kernel vulnerability CVE-2026-31431 in its server operating system SelectOS 1.3. The exploit allowed a local user to escalate privileges to root level by exploiting a bug in the cryptographic API (AF_ALG) subsystem.
According to the developers, the SelectOS team has closed the vulnerability in paid and free repositories, eliminating risks for users. The fix was localized within the system, which saved customers from having to take additional protective actions. Selectel explained:
The vulnerability originated in Linux back in 2017 as a result of changes aimed at optimizing code operation, and affected a wide range of Linux distributions using the corresponding kernel subsystem. At that time, redundant synchronization was removed, which subsequently led to a race condition and potential use-after-free.
Recall that SelectOS is a Debian-based server OS with pre-configured and optimized server software, including web servers, load balancers, databases, and backup systems. The local repository ensures the update of critical components. The system is officially registered in the Russian Ministry of Digital Development's registry as a domestic development.