{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/fedora/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pyp2spec (\u003c 0.14.1)"],"_cs_severities":["high"],"_cs_tags":["code-injection","supply-chain","rpm","linux"],"_cs_type":"advisory","_cs_vendors":["pip","Fedora"],"content_html":"\u003cp\u003epyp2spec, a tool for generating RPM spec files from PyPI packages, contains a code injection vulnerability affecting versions prior to 0.14.1. The vulnerability stems from the tool\u0026rsquo;s failure to properly escape RPM macro directives when writing PyPI package metadata (such as the summary field) into the generated spec file. This allows a malicious PyPI package to inject arbitrary commands into the spec file, which are then executed when an RPM tool processes the file. This poses a significant risk to package maintainers and build systems, particularly within the Fedora ecosystem where compromised credentials can lead to widespread supply chain attacks. The realistic attack vector involves typosquatting or targeting packages known to be under review.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PyPI package containing specially formatted metadata, including an RPM macro directive (e.g., within the package summary).\u003c/li\u003e\n\u003cli\u003eA Fedora packager, intending to package a legitimate Python package, uses \u003ccode\u003epyp2spec\u003c/code\u003e to generate an RPM spec file from the malicious PyPI package.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epyp2spec\u003c/code\u003e writes the attacker-controlled metadata, including the unescaped RPM macro directive, into the generated spec file.\u003c/li\u003e\n\u003cli\u003eThe packager, or an automated system, uses an RPM tool like \u003ccode\u003erpmbuild -bs\u003c/code\u003e, \u003ccode\u003erpmbuild --nobuild\u003c/code\u003e, or \u003ccode\u003erpm -q --specfile\u003c/code\u003e to inspect or build the package from the spec file.\u003c/li\u003e\n\u003cli\u003eThe RPM tool parses the spec file and, upon encountering the RPM macro directive, executes the embedded command.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s command executes on the build machine, potentially granting the attacker access to the packager\u0026rsquo;s credentials (dist-git SSH keys, Koji build credentials, Bodhi update credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to commit malicious source code to the distribution\u0026rsquo;s Git repository (dist-git).\u003c/li\u003e\n\u003cli\u003eThe malicious code is built and distributed to end users through the normal package update pipeline, resulting in a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the build machine. This can lead to the compromise of sensitive credentials, such as SSH keys and build system credentials. In the Fedora ecosystem, this could enable an attacker to inject malicious code into packages that are distributed to end users, potentially affecting millions of systems. The vulnerability poses a high risk to package maintainers and build systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003epyp2spec\u003c/code\u003e version 0.14.1 or later to remediate the code injection vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-r35x-v8p8-xvhw)\"\u003ehttps://github.com/advisories/GHSA-r35x-v8p8-xvhw)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on RPM spec files, alerting on unexpected modifications, to detect potentially malicious injected code. Use file_event logs with a rule like the one below.\u003c/li\u003e\n\u003cli\u003eMonitor process executions originating from RPM tools (\u003ccode\u003erpmbuild\u003c/code\u003e, \u003ccode\u003erpm\u003c/code\u003e), focusing on unusual or unexpected commands that could indicate exploitation, using process_creation logs and the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pyp2spec-code-injection/","summary":"pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.","title":"pyp2spec Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-pyp2spec-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Fedora","version":"https://jsonfeed.org/version/1.1"}