## https://sploitus.com/exploit?id=F1B1FAFB-2F7C-5C0D-9C59-CF07E1B70FA9
# Wazuh SCA policy: Copy Fail (CVE-2026-31431)
This policy file:
- `copy-fail-cve-2026-31431-policy.yml`
is designed to detect likely exposure and mitigation status for **Copy Fail / CVE-2026-31431**.
## What this policy checks
1. `algif_aead` is disabled via modprobe policy.
2. `algif_aead` is not currently loaded.
3. Mitigation file exists (`/etc/modprobe.d/disable-algif.conf`).
4. Reboot-after-kernel-update heuristics are clean.
5. Best-effort seccomp control includes `AF_ALG` (container hosts).
## Why this is mitigation-first
For this CVE, distribution backports make exact version matching unreliable with simple regex checks.
So this SCA policy focuses on:
- runtime exploit-path reduction,
- operational patch hygiene,
- and container hardening signals.
## Deploy on agent
Copy policy to:
- `/var/ossec/ruleset/sca/copy-fail-cve-2026-31431-policy.yml`
Enable SCA in `/var/ossec/etc/ossec.conf` if needed:
```xml
yes
yes
14h
/var/ossec/etc/shared/copy-fail-cve-2026-31431-policy.yml
```
Restart manager or agent:
```bash
sudo systemctl restart wazuh-agent
```
## Temporary mitigation commands (from public guidance)
```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```
Then reboot after patched kernel update.
## Notes
- Check `110005` may be **Not applicable** on non-container hosts.
- If your environment stores seccomp profiles in another path, duplicate/adjust that check.
- If you want strict vendor-kernel package checks (Ubuntu/RHEL/SUSE specific), add distro-scoped checks per package manager output.