Share
## https://sploitus.com/exploit?id=F1B1FAFB-2F7C-5C0D-9C59-CF07E1B70FA9
# Wazuh SCA policy: Copy Fail (CVE-2026-31431)

This policy file:

- `copy-fail-cve-2026-31431-policy.yml`

is designed to detect likely exposure and mitigation status for **Copy Fail / CVE-2026-31431**.

## What this policy checks

1. `algif_aead` is disabled via modprobe policy.
2. `algif_aead` is not currently loaded.
3. Mitigation file exists (`/etc/modprobe.d/disable-algif.conf`).
4. Reboot-after-kernel-update heuristics are clean.
5. Best-effort seccomp control includes `AF_ALG` (container hosts).

## Why this is mitigation-first

For this CVE, distribution backports make exact version matching unreliable with simple regex checks.
So this SCA policy focuses on:

- runtime exploit-path reduction,
- operational patch hygiene,
- and container hardening signals.

## Deploy on agent

Copy policy to:

- `/var/ossec/ruleset/sca/copy-fail-cve-2026-31431-policy.yml`

Enable SCA in `/var/ossec/etc/ossec.conf` if needed:

```xml
  
    yes
    yes
    14h
    
      /var/ossec/etc/shared/copy-fail-cve-2026-31431-policy.yml
    
  
```

Restart manager or agent:

```bash
sudo systemctl restart wazuh-agent
```

## Temporary mitigation commands (from public guidance)

```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```

Then reboot after patched kernel update.

## Notes

- Check `110005` may be **Not applicable** on non-container hosts.
- If your environment stores seccomp profiles in another path, duplicate/adjust that check.
- If you want strict vendor-kernel package checks (Ubuntu/RHEL/SUSE specific), add distro-scoped checks per package manager output.