## https://sploitus.com/exploit?id=CC46DEA0-6207-5576-B812-BDB19309E5BB
# Copy Fail Detection โ CVE-2026-31431
Detection engineering project focused on identifying exploitation attempts of the **Copy Fail Local Privilege Escalation vulnerability (CVE-2026-31431)** on Linux systems.
This repository contains a **multi-layered defensive detection package** designed to detect both:
- execution of the public exploit proof-of-concept (IOC-based),
- and behavioral traces associated with privilege escalation via `AF_ALG + splice()` page cache corruption.
---
## ๐ About Copy Fail
Copy Fail is a critical Linux Local Privilege Escalation (LPE) vulnerability disclosed in April 2026.
The flaw abuses:
- `AF_ALG` cryptographic sockets
- `algif_aead`
- `splice()` kernel memory manipulation
- page cache corruption
to modify privileged file content in memory and obtain **root privileges without persistent on-disk modification**.
Because exploitation can be performed with a very small public PoC and is trivial to mutate, traditional **hash-only detection is insufficient**.
This project was created to provide:
> IOC detection + TTP detection + syscall chain hunting + SIEM validation.
---
# ๐ฏ Detection Goals
The purpose of this suite is to identify:
- execution of known public Copy Fail PoCs;
- suspicious use of `AF_ALG` primitives;
- abuse of `splice()` associated with local exploitation;
- suspicious execution of SUID binaries after exploit staging;
- root transition following likely exploit activity.
---