CVE-2026-31431 chains AF_ALG, splice(), and authencesn's ESN scratch write into a deterministic 4-byte page cache write that gives an unprivileged local user root. Full technical breakdown, exploit mechanics, detection, mitigation, and patch status per distro.