I’m a determined entrepreneur from Australia, on a mission to secure the world’s digital future through my startup security company.

2 minute read

Copy Fail (CVE-2026-31431) is a Linux kernel local privilege escalation (LPE) vulnerability affecting the algif_aead implementation within the AF_ALG crypto subsystem. The flaw enables a low-privileged local user to corrupt page cache memory and obtain root privileges without modifying files on disk. Public reporting indicates exploitation works reliably across multiple mainstream Linux distributions released since 2017.

The vulnerability is especially relevant in:

  • Multi-tenant Linux systems
  • CI/CD runners
  • Shared Kubernetes nodes
  • Container hosting platforms
  • Cloud VM fleets

The issue is notable because exploitation is:

  • Deterministic
  • Cross-distro
  • Memory-resident
  • Difficult for file-integrity tooling to detect

Affected Systems

Public advisories currently indicate exposure across:

  • Ubuntu
  • RHEL / Rocky / Alma
  • Amazon Linux
  • SUSE
  • Debian derivatives
  • Kubernetes worker nodes using vulnerable kernels

Kernel ranges publicly discussed include vulnerable branches from approximately Linux 4.14 onward prior to patched releases. :contentReference[oaicite:1]{index=1}

Technical Summary

The exploit chain abuses:

  • AF_ALG
  • algif_aead
  • splice()
  • Page cache manipulation

Attackers gain a controlled write primitive against cached file pages. By targeting SUID binaries, privilege escalation to root becomes possible entirely in memory. Traditional integrity tooling may miss the activity because the underlying file contents on disk remain unchanged. :contentReference[oaicite:2]{index=2}

MITRE ATT&CK mapping:

Technique Description
T1068 Exploitation for Privilege Escalation
T1611 Escape to Host
T1610 Deploy Container
T1548 Abuse Elevation Control Mechanism

Building a Safe Lab

Use isolated VMs only.

Example

Component Version
Hypervisor VMware / VirtualBox / KVM
Guest OS Ubuntu 24.04
Kernel Vulnerable pre-patch kernel
Snapshotting Enabled
Network Host-only

Avoid exposing the VM externally.

Validation Workflow

1. Confirm Kernel Exposure

uname -r

Cross-reference against vendor advisories.

Useful sources:

  • Microsoft
  • Sysdig
  • Distribution security trackers

:contentReference[oaicite:3]{index=3}

2. Verify AF_ALG Availability

grep CONFIG_CRYPTO_USER_API /boot/config-$(uname -r)

or:

lsmod | grep algif

3. Observe Runtime Behavior

Monitor:

auditctl -a always,exit -F arch=b64 -S splice
auditctl -a always,exit -F arch=b64 -S socket

Focus on:

  • AF_ALG
  • abnormal splice() usage
  • short-lived privilege transitions
  • container-to-host escalation behavior

Threat Hunting Opportunities

High Signal Telemetry

Suspicious Syscalls

Watch for:

  • socket(AF_ALG, ...)
  • splice()
  • execution of SUID binaries immediately afterward

eBPF Tracing

Useful probes:

  • sys_enter_splice
  • security_bprm_check
  • do_execveat_common

Auditd Example

auditctl -a always,exit -F arch=b64 -S splice -k copyfail
auditctl -a always,exit -F arch=b64 -S socket -F a0=38 -k afalg

(38 = AF_ALG)

Container Detection Notes

Copy Fail is operationally important because containers share the host kernel.

Indicators:

  • unprivileged containers invoking AF_ALG
  • unexpected SUID execution inside containers
  • host-level root processes spawned from container namespaces
  • short-lived pod execution followed by node compromise

Environments at elevated risk:

  • GitHub runners
  • CI/CD workers
  • ephemeral build agents
  • ML sandbox infrastructure

:contentReference[oaicite:4]{index=4}

Threat Intel Collection

IOC Categories

Host Telemetry

  • abnormal splice() syscall spikes
  • AF_ALG socket creation from non-crypto workloads
  • execution chains involving:
    • su
    • sudo
    • pkexec

Kubernetes

  • pod escape patterns
  • node drift immediately after unprivileged pod execution
  • privilege escalation from non-root containers

Memory Indicators

Because exploitation is memory-resident:

  • disk IOC coverage is weak
  • memory forensics and syscall telemetry become primary evidence sources

Sigma Hunting Concept

title: Suspicious AF_ALG Usage
status: experimental
logsource:
  product: linux
detection:
  selection:
    syscall:
      - socket
      - splice
  condition: selection
level: high

Mitigation

Immediate

  • Patch kernels
  • Reboot hosts
  • Restrict untrusted shell access
  • Reduce container breakout exposure

Temporary

Disable vulnerable crypto modules if operationally feasible:

modprobe -r algif_aead

Validate dependencies first.

Defensive Priorities

  1. Patch internet-facing Linux workloads
  2. Patch shared Kubernetes worker nodes
  3. Patch CI/CD runners
  4. Hunt for suspicious AF_ALG activity
  5. Monitor privilege escalation chains

Final Notes

Copy Fail stands out because it combines:

  • reliability
  • low exploit complexity
  • stealth
  • broad Linux coverage
  • strong container escape implications

This is not just another local privilege escalation bug — it materially changes post-exploitation assumptions in Linux-heavy cloud environments.

References

  • Microsoft Security Research
  • Sysdig Threat Research
  • Vendor kernel advisories
  • Public exploit analyses

Categories:

Updated:

You may also enjoy

Asymmetric Encryption

2 minute read

Asymmetric encryption, also known as public-key cryptography, is a cryptographic system that uses key pairs for encryption and decryption. Unlike symmetric e...

CyberSec and Stress

2 minute read

There are some things about this industry that have been giving me a bit of a headache. So, I thought I’d give you all the rundown on the different types of ...

Happy sinking

1 minute read

Following these tips will ensure that your data is as insecure as possible.