Kernel — CraftedSignal Threat Feed

CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation

hello@craftedsignal.io — Sat, 02 May 2026 03:06:08 +0000

CVE-2026-31431, known as “Copy Fail,” is a high-severity local privilege escalation vulnerability affecting the Linux kernel’s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.

Attack Chain

Reconnaissance: The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.
Script Execution: The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.
AF_ALG Abuse: The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.
Kernel Page Cache Corruption: This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.
Privilege Escalation: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.
Boundary Breach: The system’s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.
Lateral Movement/Container Escape: The attacker can now use the root privileges gained to perform lateral movement or escape the container.

Impact

Successful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability’s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.

Recommendation

Identify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).
Deploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.
Monitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.
If patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.

Multiple Vulnerabilities in Red Hat Linux Kernel

hello@craftedsignal.io — Thu, 30 Apr 2026 00:00:00 +0000

On April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in the Red Hat Linux kernel. These vulnerabilities, detailed in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313, can lead to significant security risks including arbitrary code execution, privilege escalation, and remote denial of service. The affected systems include various versions and architectures of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access, control systems, or disrupt services, impacting the confidentiality, integrity, and availability of affected systems.

Attack Chain

Initial Compromise (via unconfirmed vector): An attacker identifies a vulnerable Red Hat Linux system running an affected kernel version. While the exact exploit vector isn’t specified in the advisory, it involves a vulnerability in the kernel.
Exploit Trigger: The attacker triggers a specific kernel vulnerability, such as those identified as CVE-2026-23001 or CVE-2026-31402, by sending a crafted input to a vulnerable kernel component. The specific method depends on the nature of each CVE.
Code Execution: Upon successful exploitation, the attacker achieves arbitrary code execution within the kernel context. This allows the attacker to run malicious code directly on the system.
Privilege Escalation: Leveraging the code execution capability, the attacker exploits another vulnerability (e.g., CVE-2025-68741) to escalate privileges to root or SYSTEM. This may involve exploiting race conditions, memory corruption bugs, or other privilege escalation flaws within the kernel.
System Control: With elevated privileges, the attacker gains full control over the compromised system. They can now access sensitive data, modify system configurations, install backdoors, or move laterally to other systems within the network.
Lateral Movement (Optional): The attacker uses the compromised system as a launching point to attack other systems on the network, potentially exploiting other vulnerabilities or using stolen credentials.
Persistence (Optional): The attacker establishes persistence on the compromised system to maintain access even after reboots. This may involve installing rootkits, modifying system startup scripts, or creating rogue user accounts.
Denial of Service/Data Exfiltration/etc.: Depending on their objectives, the attacker may use the compromised system to launch denial-of-service attacks against other targets, exfiltrate sensitive data, or cause other damage.

Impact

Successful exploitation of these kernel vulnerabilities can lead to complete system compromise, allowing attackers to execute arbitrary code, escalate privileges, and cause denial of service. The wide range of affected Red Hat Enterprise Linux and CodeReady Linux Builder versions implies a potentially large number of vulnerable systems. This can result in significant data breaches, system downtime, financial losses, and reputational damage for affected organizations.

Recommendation

Apply the patches provided in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313 to remediate the vulnerabilities.
Prioritize patching systems based on their criticality and exposure to external networks.
Monitor systems for suspicious activity that may indicate exploitation attempts, focusing on unexpected kernel module loads or privilege escalations using process_creation logging.
Deploy the Sigma rule detecting suspicious kernel module loading to identify potential rootkit installation attempts.
Investigate any alerts generated by the deployed Sigma rules to determine the scope and impact of potential compromises.

CVE-2026-26179 Windows Kernel Double Free Privilege Escalation

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-26179 is a critical security vulnerability residing within the Windows Kernel. This double-free vulnerability allows an attacker with local access to elevate their privileges. Successful exploitation grants the attacker higher-level permissions on the compromised system. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.8, indicating a high severity. The vulnerability lies within the core operating system components, making it a significant threat to Windows-based environments. Exploitation of this vulnerability requires an attacker to have valid local credentials on the target system. The vulnerability was published on 2026-04-14.

Attack Chain

An attacker gains initial local access to a Windows system through legitimate credentials or by exploiting another vulnerability.
The attacker crafts a malicious program designed to trigger the double-free condition in the Windows Kernel.
The malicious program interacts with a vulnerable kernel function, likely through a specific system call (Nt*).
The vulnerable kernel function attempts to free the same memory region twice due to a logical error.
The double-free corrupts the kernel’s memory management structures, such as the heap metadata.
The memory corruption allows the attacker to overwrite critical kernel data structures, such as process tokens or privilege attributes.
The attacker modifies the process token of their own process, elevating their privileges to SYSTEM or another highly privileged account.
The attacker now executes privileged commands and gains full control over the system.

Impact

Successful exploitation of CVE-2026-26179 allows a local attacker to elevate privileges to SYSTEM, the highest level of privilege on a Windows system. This grants the attacker complete control over the compromised machine, allowing them to install software, modify data, create new accounts, and access sensitive information. A successful privilege escalation can lead to a complete compromise of the confidentiality, integrity, and availability of the system. This vulnerability affects all Windows systems where the patch has not been applied.

Recommendation

Apply the security update provided by Microsoft to patch CVE-2026-26179 as soon as possible.
Monitor systems for unusual process creation events originating from user accounts, as this could be an indicator of exploit activity. Deploy the provided Sigma rule Detect Suspicious Process Token Modifications to identify potential privilege escalation attempts.
Enable process auditing and monitor for unusual system calls using tools like Sysmon to catch the initial exploitation attempts.
Regularly review and enforce the principle of least privilege to limit the impact of successful local exploits.
Deploy the Sigma rule Detect Double Free Vulnerability Exploitation to identify exploitation of double free vulnerabilities by monitoring process creation and memory allocation patterns.

Out-of-Cancel Vulnerability Class in Linux Workqueue Cancellation APIs

hello@craftedsignal.io — Wed, 25 Mar 2026 07:30:12 +0000

The ‘Out-of-Cancel’ vulnerability class, discovered and detailed in March 2026, highlights a category of security flaws residing within the workqueue cancellation APIs in the Linux kernel. This vulnerability arises when work items are improperly handled during cancellation, potentially leading to use-after-free conditions, race conditions, and other memory corruption issues. The initial report and analysis were published on March 23, 2026. While specific exploits are not detailed in the source material, the nature of kernel vulnerabilities makes them critical for defenders to address. The impact can range from denial of service to privilege escalation and potentially arbitrary code execution within the kernel context. This vulnerability class affects a broad range of Linux systems, making it a widespread concern.

Attack Chain

A user-space program triggers a specific kernel function that queues a work item to a workqueue.
The work item is scheduled for execution, but before it begins, the user-space program requests cancellation of the work item via a workqueue cancellation API.
Due to a race condition or improper synchronization, the work item is canceled but not fully removed from the workqueue’s internal data structures.
The kernel attempts to access the work item after it has been freed, resulting in a use-after-free vulnerability.
An attacker manipulates memory layout to place controlled data at the memory location of the freed work item.
The kernel code now operates on the attacker-controlled data, leading to memory corruption or information leakage.
The attacker leverages the memory corruption to overwrite critical kernel data structures, such as function pointers or security credentials.
Successful exploitation leads to privilege escalation, allowing the attacker to execute arbitrary code with kernel-level privileges.

Impact

The ‘Out-of-Cancel’ vulnerability class can lead to severe consequences, including kernel crashes (denial of service), privilege escalation, and potentially arbitrary code execution within the kernel. A successful exploit could allow an attacker to gain complete control over the affected system. Due to the ubiquitous nature of the Linux kernel, a wide range of systems are potentially vulnerable, impacting servers, desktops, embedded systems, and mobile devices. While the exact number of vulnerable systems is unknown, the widespread use of affected kernel versions implies a significant potential impact.

Recommendation

Monitor kernel logs for errors related to workqueue cancellations to detect potential exploitation attempts. Enable auditd to log kernel function calls related to workqueue management (audit.rules).
Deploy the Sigma rule Detect Potential Use-After-Free in Workqueue Cancellation to identify suspicious kernel events related to workqueue operations.
Investigate any reported kernel panics or crashes, focusing on stack traces that involve workqueue-related functions.
Stay informed about kernel patches and security advisories related to workqueue vulnerabilities and apply them promptly.