CVE-2026-31431, dubbed Copy Fail, is a high-severity Linux kernel flaw that lets an unprivileged local user corrupt page cache via AF_ALG sockets and the authencesn AEAD template to execute code as root. CISA added it to the KEV catalog after confirmed in-the-wild exploitation, and Datadog Security Research built detection content to catch the exploit chain and related variants. #CVE-2026-31431 #CopyFail #CISA #Datadog #authencesn
Keypoints
- CVE-2026-31431 has a CVSS score of 7.8 and affects Linux kernels from 4.14 through 6.19, including 7.0 release candidates.
- The flaw allows any unprivileged local user to corrupt page cache contents through AF_ALG sockets and the authencesn AEAD template, leading to root code execution.
- The attack stays entirely in kernel space, leaving no normal file-write trail, no VFS writes, and no mtime changes.
- CISA placed the vulnerability in the Known Exploited Vulnerabilities catalog on May 1, 2026, and active exploitation has been confirmed.
- The exploit uses splice() to move file-backed page cache pages into the crypto pipeline, enabling controlled corruption of readable target files such as /usr/bin/su.
- The technique can also target PAM configuration files and may cross container boundaries when cached pages are shared across workloads.
- Datadog created multi-stage Workload Protection detections and related hunt queries to identify AF_ALG abuse, risky file access, and exploitation attempts.
MITRE Techniques
- [T1068 ] Exploitation for Privilege Escalation – The vulnerability is used to escalate privileges from an unprivileged local user to root by corrupting kernel page cache and executing attacker-controlled code as root (‘allows any unprivileged local user to corrupt the page caches… to escalate privileges to execute code as root’).
- [T1106 ] Native API – The exploit relies on direct use of Linux system calls and kernel interfaces such as AF_ALG socket creation, setsockopt(), accept(), splice(), and open() (‘creates an AF_ALG socket, binds it… configures it with setsockopt(), and sends data’).
- [T1021 ] Remote Services – The article does not describe remote login or lateral movement, but it does note container boundary reuse of shared pages that may affect more privileged runtimes (‘cross container boundaries when the targeted file is backed by the same underlying file object’).
- [T1565.001 ] Stored Data Manipulation: Stored Data Manipulation on Disk – The exploit alters the cached contents of readable files such as /usr/bin/su and PAM configuration files without changing the on-disk file, effectively manipulating stored file data in memory (‘corrupt the page cache of any file readable by the attacker’).
- [T1055 ] Process Injection – Not directly a classic process injection, but the attack influences executable memory pages used when /usr/bin/su is mapped and executed (‘the CPU executes from those in-memory pages, not from disk’).
- [T1499 ] Endpoint Denial of Service – The article does not emphasize DoS, but it describes kernel-space corruption of shared page cache that can destabilize affected files and workloads (‘corrupt shared memory invisible to traditional monitoring’).
Indicators of Compromise
- [CVE / vulnerability identifier ] Affected kernel flaw and hunting target – CVE-2026-31431
- [File paths ] Common target binaries and auth files used in exploitation or detection – /usr/bin/su, /etc/pam.d/*, and other system file paths such as /etc/passwd
- [Kernel/module name ] Potential AF_ALG-related kernel module load indicator – algif_aead
- [Datadog rule/query field ] Detection and hunting context for compromised hosts – @advisory.cve:CVE-2026-31431, @status:(open OR in_progress)
- [Datadog product/version ] Required platform version for the content pack – Datadog Agent v7.68 or greater
Read more: https://securitylabs.datadoghq.com/articles/cve-2026-31431-copy-fail-exploit-detection-with-agents/