Bottlerocket: bottlerocket-kernel-6.1, kernel-6.1: security update to 6.1.166bottlerocket-kernel-6.12, kernel-6.12: security update to 6.12.79bottlerocket-kernel-6.18, kernel-6.18: security update to 6.18.20

high Tenable Self-Hosted Container Security Plugin ID 441293

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to
operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated
data. There is no benefit in operating in-place in algif_aead since the source and destination come from
different mappings. Get rid of all the complexity added for in-place operation and just copy the AD
directly. (CVE-2026-31431)

Solution

Update the bottlerocket-kernel-6.1 library and its related packages to version 6.1.166 or later.

Plugin Details

Severity: High

ID: 441293

Version: Revision 1.5

Type: Local

Published: 5/7/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

Percentile: 99.86

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-31431

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/22/2026

CISA Known Exploited Vulnerability Due Dates: 5/15/2026

Exploitable With

Core Impact

Metasploit (Copy Fail AF_ALG + authencesn Page-Cache Write)

Reference Information

CVE: CVE-2026-31431