CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1068-exploitation-for-privilege-escalation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect exploitation of CVE-2026-31431 (Copy Fail), a Linux kernel page cache corruption vulnerability that enables local privilege escalation and container escape.

Strategy

This rule uses a three-stage Agent-side chain to detect the CVE-2026-31431 exploit sequence within a single process:

  1. Stage 0 (bind): An unprivileged process binds an AF_ALG socket — arms the chain.
  2. Stage 1 (setsockopt): The same process calls setsockopt with SOL_ALG (level 279) on the AF_ALG socket — advances to stage 2.
  3. Stage 2 (splice): The same process splices from a setuid binary (/usr/bin/su or /bin/su) — fires the detection.

All three stages must occur in the same process within 30 seconds. A 60-second cooldown prevents duplicate signals from the same process.

The exploit uses the authencesn AEAD template to corrupt the page cache of setuid binaries entirely within kernel space, bypassing VFS protections. An attacker then executes the corrupted binary to gain root. Because the page cache is shared across mount namespaces, this is also a container escape primitive.

The container-specific case fires at critical severity when the exploit chain is detected inside a container, indicating a potential container escape attempt.

Triage and response

  1. Identify the process and user that triggered the chain. Check @process.executable.path, @process.user, and @process.ancestors.
  2. Determine if the host/container is running a kernel version vulnerable to CVE-2026-31431. Check @os.kernel for versions 6.12 or later without the fix (commit a664bf3d603d).
  3. Isolate the affected host or terminate the container immediately — the exploit reliably grants root.
  4. Check for post-exploitation activity: new processes spawned as root, lateral movement, persistence mechanisms.
  5. Apply the kernel patch or disable the algif_aead module as a mitigation: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf.
  6. Investigate whether other hosts in the fleet are running vulnerable kernels and prioritize patching.

Requires Agent version 7.68 or greater.