Share
## https://sploitus.com/exploit?id=49C6ECD2-3393-5C69-8B2A-C77F5468E2A1
# CVE-2026-31431 "Copy Fail" โ Defensive Detection Package
A production-ready collection of detection rules and triage guidance for
CVE-2026-31431, a Linux kernel local privilege escalation in the `algif_aead`
crypto interface disclosed by Theori (Xint Code Research). The vulnerability
exploits an in-place AEAD optimisation to allow an unprivileged user to
perform a controlled write into the page cache of any readable file. This
repository provides Sigma rules (including a behavioural chain rule), auditd
configurations, a Falco rule for containers, KQL and Elastic EQL hunt queries,
and a step-by-step analyst triage playbook. No exploit code โ purely defensive
content for SOC analysts and detection engineers.
Includes detection logic designed for auditd, eBPF, and EDR telemetry pipelines.
---
## Vulnerability Summary
| Field | Detail |
|---|---|
| CVE | CVE-2026-31431 |
| Nickname | Copy Fail |
| Component | Linux kernel `algif_aead` (AF_ALG crypto interface) |
| Type | Local Privilege Escalation (LPE) |
| CVSS | 7.8 |
| Primitive | Deterministic 4-byte controlled write into any readable file's page cache |
| Escalation path | Poison `/etc/passwd` page cache โ `getpwnam()` returns UID 0 โ `su` lands root |
| Container risk | If host kernel is unpatched and AF_ALG is not blocked by seccomp, this is a container-escape primitive (T1611) |
| Patch | Revert `algif_aead` to out-of-place AEAD operations (upstream) |
---
## Repository Structure
```
cve-2026-31431-detection/
โโโ README.md
โโโ sigma/
โ โโโ afalg_socket_creation.yml # Rule 1: AF_ALG socket by non-root
โ โโโ afalg_bind_aead_string.yml # Rule 2: authencesn algorithm keyword
โ โโโ afalg_su_chain.yml # Rule 3: AF_ALG + su behavioural chain
โโโ auditd/
โ โโโ cve-2026-31431.rules # Persistent auditd configuration
โโโ falco/
โ โโโ afalg_container.yml # Container runtime detection (corrected)
โโโ queries/
โ โโโ defender_sentinel.kql # KQL for Microsoft Defender / Sentinel
โ โโโ splunk.spl # Splunk SPL hunt query
โ โโโ elastic.eql # Elastic EQL sequence query (corrected)
โโโ playbook/
โ โโโ triage_playbook.md # 5-step analyst triage playbook
โโโ diagrams/
โโโ exploit_flow.svg # Conceptual exploit flow (no weaponisable detail)
```
---
## Detection Coverage Matrix
| Stage | Observable behaviour | Detection |
|---|---|---|
| Initial | AF_ALG socket (family 38) by non-root | Sigma Rule 1 ยท auditd `afalg_socket` ยท Falco |
| Setup | bind() with authencesn AEAD string | Sigma Rule 2 (keyword) ยท auditd `afalg_bind` |
| Exploit trigger | splice() to AF_ALG fd | auditd `splice_syscall` ยท Falco/eBPF |
| Post-condition | EBADMSG recv() from unprivileged process | Syscall chain correlation ยท auditd |
| Impact | /etc/passwd FIM alert + access spike | File integrity monitoring ยท /proc/\/fd |
| Privilege transition | su execution after AF_ALG activity | Sigma Rule 3 ยท auditd execve ยท PAM logs |
---
## MITRE ATT&CK Mapping
- **T1068** โ Exploitation for Privilege Escalation
- **T1611** โ Escape to Host (container context)
---
## Patching Guidance
Apply the upstream fix that reverts `algif_aead` to out-of-place AEAD operations.
Distro advisories:
- RHEL: https://access.redhat.com/security/cve/CVE-2026-31431
- Ubuntu: https://ubuntu.com/security/CVE-2026-31431
- Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431
- SUSE: https://www.suse.com/security/cve/CVE-2026-31431
**Temporary mitigation (unpatched systems):**
Place `install algif_aead /bin/false` in `/etc/modprobe.d/disable-algif-aead.conf`,
or apply a seccomp profile blocking `socket` calls with `AF_ALG` (family 38).
---
## False Positive Notes
The primary legitimate consumers of AF_ALG sockets are `cryptsetup` (LUKS), `fscrypt`,
and some kernel-crypto-aware VPN clients. In production environments these processes
almost exclusively run as root, so the `uid != 0` filter eliminates the vast majority
of benign activity. The specific AEAD string `authencesn(hmac(sha256),cbc(aes))` has
no known legitimate production usage and can be treated as critical when observed.
---
## Disclaimer
This repository contains defensive detection content only. No exploit code,
proof-of-concept scripts, syscall offsets, or shellcode are included or will be added.