Summary of "732 bytes of Python just borked every Linux machine on earth…"

Summary of the Subtitles

The video claims a highly serious local privilege escalation vulnerability was found in the Linux kernel, labeled CVE-2026-31431.
- The presenter describes it as a flaw that has existed since 2017 (with references to related commits from 2015 and 2017).
- It is stated to affect essentially all Linux distributions, as long as they include the relevant post-2017 kernel code.
The presenter emphasizes urgency: Linux servers and desktop Linux systems should patch “right now / like yesterday.”
The video asserts that attackers are already using the exploit in the wild, citing:
- CrowdStrike confirmation (as stated in the video) that exploitation is underway.
- CISA listing it on the “known exploited vulnerabilities” (Kev) list.

The exploit is described as being delivered/represented by a small Python script (with the “732 bytes” claim in the title).
Core capability (as described):
- An unprivileged local user can write a small amount of data (four uncontrolled bytes) into the page cache of a readable (supposedly read-only) file.
- The corruption can then be used to gain root access.

The exploit depends on a Linux crypto-related feature called ONC ESN (authentication encryption extended sequence numbers) exposed to user space via AF_ALG.
A flaw in the AF_ALG “splice” behavior is claimed to let an internal crypto output buffer incorrectly reference page cache memory, enabling modification of data within a read-only kernel-referenced file.
The example given suggests it can target a file such as SU (sudo-related) on many systems, which then enables execution with root privileges.

The video stresses the vulnerability is not remotely exploitable.
- An attacker would first need local user access (e.g., via SSH compromise or another foothold).
Even so, the presenter notes this can still be dangerous:
- Systems may be vulnerable if attackers can get any user account, even if a typical desktop user is “probably safe” without an initial breach.
- The video still advises patching.

A major theme is how the vulnerability was allegedly discovered:
- An AI agent scanned for relevant conditions and produced a working exploit quickly (claimed as ~1 hour of scan time).
The video says the researcher/company (theori in the subtitles) released a free public proof of concept and provided a dedicated “fancy website,” which the presenter uses to highlight the credibility of the disclosure.
The presenter argues this illustrates the risks and speed of AI-assisted vulnerability research and exploitation, and calls for better AI code quality tooling.