{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/theori/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Theori"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Linux kernel","Ubuntu 24.04 LTS","Amazon Linux 2023","RHEL 10.1","SUSE 16"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","vulnerability"],"_cs_type":"threat","_cs_vendors":["Theori","Ubuntu","Amazon","Red Hat","SUSE","Linux"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, \u0026ldquo;Copy Fail\u0026rdquo; (CVE-2026-31431), impacts Linux kernels released since 2017. Discovered by Theori\u0026rsquo;s AI-driven pentesting platform Xint Code, the vulnerability allows an unprivileged local attacker to gain root permissions. Theori reported the finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. A proof-of-concept exploit was published, demonstrating a 732-byte script that can root every Linux distribution shipped since 2017. This vulnerability stems from a logic bug in the Linux kernel\u0026rsquo;s authencesn cryptographic template. Theori demonstrated successful exploits on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged local attacker gains access to a vulnerable Linux system.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eAF_ALG\u003c/code\u003e socket-based interface to access Linux kernel crypto functions from user space.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003esplice()\u003c/code\u003e system call to perform a controlled 4-byte write in the page cache of a readable file, instead of a normal buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker targets a setuid-root binary file for modification.\u003c/li\u003e\n\u003cli\u003eThe 4-byte write alters the behavior of the setuid-root binary.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the modified setuid-root binary.\u003c/li\u003e\n\u003cli\u003eDue to the altered behavior, the binary grants the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Copy Fail vulnerability (CVE-2026-31431) allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. Theori demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, highlighting the widespread impact. Multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS environments running user code are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available kernel patches for CVE-2026-31431 on affected Linux distributions, prioritizing multi-tenant environments (e.g., Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16).\u003c/li\u003e\n\u003cli\u003eAs an interim mitigation, disable the vulnerable crypto interface by blocking \u003ccode\u003eAF_ALG\u003c/code\u003e socket creation or disabling the \u003ccode\u003ealgif_aead\u003c/code\u003e module, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unusual processes after the modification of binaries in \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e using the Sigma rule \u0026ldquo;Detect Suspicious Splice Usage for Privilege Escalation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect algif_aead module removal\u0026rdquo; to detect attempts to disable the vulnerable module.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:54:47Z","date_published":"2026-04-30T13:54:47Z","id":"/briefs/2026-04-copy-fail/","summary":"A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.","title":"Local Privilege Escalation Vulnerability 'Copy Fail' in Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-copy-fail/"}],"language":"en","title":"CraftedSignal Threat Feed — Theori","version":"https://jsonfeed.org/version/1.1"}