Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket

CVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the authencesn AEAD path through AF_ALG and splice(). Public exploitation targets setuid-root binaries such as /usr/bin/su, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.

Attack Chain

1. An unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == “socket” and auditd.data.a0 == “26”) or splice operations.
2. The attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as /usr/bin/su.
3. The attacker executes the targeted setuid-root binary (e.g., /usr/bin/su).
4. Due to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.
5. The process transitions to a root UID, indicating successful privilege escalation.
6. A root shell is spawned, providing the attacker with elevated privileges.
7. The attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.
8. The attacker potentially compromises the entire host or node, especially in containerized environments.

Impact

Successful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.

Recommendation

• Deploy the Sigma rule “Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst” to detect initial exploitation attempts based on AF_ALG socket activity.
• Deploy the Sigma rule “Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation” to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.
• Immediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.
• Until patching is possible, consider blocking algif_aead module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.
• Add audit rules for socket, splice, and bind events as described in the rule’s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.