Share
## https://sploitus.com/exploit?id=49C6ECD2-3393-5C69-8B2A-C77F5468E2A1
# CVE-2026-31431 "Copy Fail" โ€” Defensive Detection Package

A production-ready collection of detection rules and triage guidance for
CVE-2026-31431, a Linux kernel local privilege escalation in the `algif_aead`
crypto interface disclosed by Theori (Xint Code Research). The vulnerability
exploits an in-place AEAD optimisation to allow an unprivileged user to
perform a controlled write into the page cache of any readable file. This
repository provides Sigma rules (including a behavioural chain rule), auditd
configurations, a Falco rule for containers, KQL and Elastic EQL hunt queries,
and a step-by-step analyst triage playbook. No exploit code โ€” purely defensive
content for SOC analysts and detection engineers.

Includes detection logic designed for auditd, eBPF, and EDR telemetry pipelines.

---

## Vulnerability Summary

| Field | Detail |
|---|---|
| CVE | CVE-2026-31431 |
| Nickname | Copy Fail |
| Component | Linux kernel `algif_aead` (AF_ALG crypto interface) |
| Type | Local Privilege Escalation (LPE) |
| CVSS | 7.8 |
| Primitive | Deterministic 4-byte controlled write into any readable file's page cache |
| Escalation path | Poison `/etc/passwd` page cache โ†’ `getpwnam()` returns UID 0 โ†’ `su` lands root |
| Container risk | If host kernel is unpatched and AF_ALG is not blocked by seccomp, this is a container-escape primitive (T1611) |
| Patch | Revert `algif_aead` to out-of-place AEAD operations (upstream) |

---

## Repository Structure

```
cve-2026-31431-detection/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ sigma/
โ”‚   โ”œโ”€โ”€ afalg_socket_creation.yml       # Rule 1: AF_ALG socket by non-root
โ”‚   โ”œโ”€โ”€ afalg_bind_aead_string.yml      # Rule 2: authencesn algorithm keyword
โ”‚   โ””โ”€โ”€ afalg_su_chain.yml              # Rule 3: AF_ALG + su behavioural chain
โ”œโ”€โ”€ auditd/
โ”‚   โ””โ”€โ”€ cve-2026-31431.rules            # Persistent auditd configuration
โ”œโ”€โ”€ falco/
โ”‚   โ””โ”€โ”€ afalg_container.yml             # Container runtime detection (corrected)
โ”œโ”€โ”€ queries/
โ”‚   โ”œโ”€โ”€ defender_sentinel.kql           # KQL for Microsoft Defender / Sentinel
โ”‚   โ”œโ”€โ”€ splunk.spl                      # Splunk SPL hunt query
โ”‚   โ””โ”€โ”€ elastic.eql                     # Elastic EQL sequence query (corrected)
โ”œโ”€โ”€ playbook/
โ”‚   โ””โ”€โ”€ triage_playbook.md              # 5-step analyst triage playbook
โ””โ”€โ”€ diagrams/
    โ””โ”€โ”€ exploit_flow.svg                # Conceptual exploit flow (no weaponisable detail)
```

---

## Detection Coverage Matrix

| Stage | Observable behaviour | Detection |
|---|---|---|
| Initial | AF_ALG socket (family 38) by non-root | Sigma Rule 1 ยท auditd `afalg_socket` ยท Falco |
| Setup | bind() with authencesn AEAD string | Sigma Rule 2 (keyword) ยท auditd `afalg_bind` |
| Exploit trigger | splice() to AF_ALG fd | auditd `splice_syscall` ยท Falco/eBPF |
| Post-condition | EBADMSG recv() from unprivileged process | Syscall chain correlation ยท auditd |
| Impact | /etc/passwd FIM alert + access spike | File integrity monitoring ยท /proc/\/fd |
| Privilege transition | su execution after AF_ALG activity | Sigma Rule 3 ยท auditd execve ยท PAM logs |

---

## MITRE ATT&CK Mapping

- **T1068** โ€” Exploitation for Privilege Escalation
- **T1611** โ€” Escape to Host (container context)

---

## Patching Guidance

Apply the upstream fix that reverts `algif_aead` to out-of-place AEAD operations.
Distro advisories:

- RHEL: https://access.redhat.com/security/cve/CVE-2026-31431
- Ubuntu: https://ubuntu.com/security/CVE-2026-31431
- Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431
- SUSE: https://www.suse.com/security/cve/CVE-2026-31431

**Temporary mitigation (unpatched systems):**
Place `install algif_aead /bin/false` in `/etc/modprobe.d/disable-algif-aead.conf`,
or apply a seccomp profile blocking `socket` calls with `AF_ALG` (family 38).

---

## False Positive Notes

The primary legitimate consumers of AF_ALG sockets are `cryptsetup` (LUKS), `fscrypt`,
and some kernel-crypto-aware VPN clients. In production environments these processes
almost exclusively run as root, so the `uid != 0` filter eliminates the vast majority
of benign activity. The specific AEAD string `authencesn(hmac(sha256),cbc(aes))` has
no known legitimate production usage and can be treated as critical when observed.

---

## Disclaimer

This repository contains defensive detection content only. No exploit code,
proof-of-concept scripts, syscall offsets, or shellcode are included or will be added.