https://feed.craftedsignal.io/vendors/suse/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 03:06:08 +0000https://feed.craftedsignal.io/briefs/2026-05-copy-fail/Sat, 02 May 2026 03:06:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-copy-fail/The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.CVE-2026-31431, known as “Copy Fail,” is a high-severity local privilege escalation vulnerability affecting the Linux kernel’s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.

Attack Chain

1. Reconnaissance: The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.
2. Script Execution: The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.
3. AF_ALG Abuse: The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.
4. Kernel Page Cache Corruption: This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.
5. Privilege Escalation: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.
6. Boundary Breach: The system’s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.
7. Lateral Movement/Container Escape: The attacker can now use the root privileges gained to perform lateral movement or escape the container.

Impact

Successful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability’s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.

Recommendation

• Identify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).
• Deploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.
• Monitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.
• If patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.

]]>criticaladvisoryprivilege-escalationlinuxkernelhttps://feed.craftedsignal.io/briefs/2026-04-copy-fail/Thu, 30 Apr 2026 13:54:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-copy-fail/A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.A local privilege escalation vulnerability, “Copy Fail” (CVE-2026-31431), impacts Linux kernels released since 2017. Discovered by Theori’s AI-driven pentesting platform Xint Code, the vulnerability allows an unprivileged local attacker to gain root permissions. Theori reported the finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. A proof-of-concept exploit was published, demonstrating a 732-byte script that can root every Linux distribution shipped since 2017. This vulnerability stems from a logic bug in the Linux kernel’s authencesn cryptographic template. Theori demonstrated successful exploits on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Attack Chain

1. An unprivileged local attacker gains access to a vulnerable Linux system.
2. The attacker utilizes the AF_ALG socket-based interface to access Linux kernel crypto functions from user space.
3. The attacker uses the splice() system call to perform a controlled 4-byte write in the page cache of a readable file, instead of a normal buffer.
4. The attacker targets a setuid-root binary file for modification.
5. The 4-byte write alters the behavior of the setuid-root binary.
6. The attacker executes the modified setuid-root binary.
7. Due to the altered behavior, the binary grants the attacker elevated privileges.
8. The attacker gains root privileges on the system.

Impact

Successful exploitation of the Copy Fail vulnerability (CVE-2026-31431) allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. Theori demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, highlighting the widespread impact. Multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS environments running user code are at high risk.

Recommendation

• Apply available kernel patches for CVE-2026-31431 on affected Linux distributions, prioritizing multi-tenant environments (e.g., Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16).
• As an interim mitigation, disable the vulnerable crypto interface by blocking AF_ALG socket creation or disabling the algif_aead module, as described in the overview.
• Monitor for the execution of unusual processes after the modification of binaries in /tmp or /var/tmp using the Sigma rule “Detect Suspicious Splice Usage for Privilege Escalation”.
• Deploy the Sigma rule “Detect algif_aead module removal” to detect attempts to disable the vulnerable module.

]]>criticalthreatprivilege-escalationlinuxvulnerability