{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-31431/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","vulnerability","cve-2026-31431"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eCVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the \u003ccode\u003eauthencesn\u003c/code\u003e AEAD path through AF_ALG and \u003ccode\u003esplice()\u003c/code\u003e. Public exploitation targets setuid-root binaries such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == \u0026ldquo;socket\u0026rdquo; and auditd.data.a0 == \u0026ldquo;26\u0026rdquo;) or splice operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the targeted setuid-root binary (e.g., \u003ccode\u003e/usr/bin/su\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe process transitions to a root UID, indicating successful privilege escalation.\u003c/li\u003e\n\u003cli\u003eA root shell is spawned, providing the attacker with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises the entire host or node, especially in containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst\u0026rdquo; to detect initial exploitation attempts based on AF_ALG socket activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation\u0026rdquo; to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.\u003c/li\u003e\n\u003cli\u003eImmediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eUntil patching is possible, consider blocking \u003ccode\u003ealgif_aead\u003c/code\u003e module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.\u003c/li\u003e\n\u003cli\u003eAdd audit rules for \u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003esplice\u003c/code\u003e, and \u003ccode\u003ebind\u003c/code\u003e events as described in the rule\u0026rsquo;s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T16:24:01Z","date_published":"2026-04-30T16:24:01Z","id":"/briefs/2024-01-cve-2026-31431-exploitation/","summary":"This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.","title":"Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31431-exploitation/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-31431","version":"https://jsonfeed.org/version/1.1"}