{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/red-hat-enterprise-linux-rhel-10.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"}],"language":"en","title":"CraftedSignal Threat Feed — Red Hat Enterprise Linux (RHEL 10.1)","version":"https://jsonfeed.org/version/1.1"}