For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-yc7.md. A documentation index is available at /llms.txt.

CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1068-exploitation-for-privilege-escalation

Goal

Detect exploitation of CVE-2026-31431 (Copy Fail), a Linux kernel page cache corruption vulnerability that enables local privilege escalation and container escape.

Strategy

This rule combines chain-based and standalone detections at multiple severity tiers to balance high-confidence signals with broader coverage against evasion variants.

Critical — Chained splice (high confidence)

A three-stage Agent-side chain detects the full exploit sequence within a single process:

  1. Stage 0 (bind): An unprivileged process binds an AF_ALG socket — arms the chain.
  2. Stage 1 (setsockopt): The same process calls setsockopt with SOL_ALG (level 279) on the AF_ALG socket — advances to stage 2.
  3. Stage 2 (detection): The process splices from any setuid binary (splice.file.mode & S_ISUID).

High — Chained open + catch-all splice

  • Open path: The process opens a system binary or PAM configuration read-only after chain reaches stage 2, covering targets like /etc/pam.d/* for authentication bypass.
  • Catch-all splice: The process splices any root-owned file (splice.file.uid == 0) after chain stage 2. Broader than the S_ISUID check for variants which can target non-setuid root-owned files.

Medium — Standalone AF_ALG bind (lower confidence)

Any successful unprivileged bind(AF_ALG) fires at medium severity with no chain dependency. This catches variants that split the exploit across multiple processes (e.g., fork after bind, fd passing via SCM_RIGHTS, separate bind/splice tools) which evade the process-scoped chain.

AF_ALG usage by non-root processes is uncommon — the kernel crypto API is primarily used by dm-crypt, cryptsetup, and libkcapi, all of which typically run as root. False positives are possible from FIPS compliance tools or crypto benchmarks running as non-root.

All chain stages must occur in the same process within 30 seconds. A 60-second cooldown prevents duplicate signals from the same process.

The exploit uses the authencesn AEAD template to corrupt the page cache of setuid binaries or PAM configurations entirely within kernel space. An attacker then executes the corrupted binary to gain root or bypasses authentication.

Container-specific cases are included for all detection paths.

Triage and response

  1. Check severity tier. Critical signals indicate a high-confidence exploit chain completed. Medium signals (standalone bind) require further investigation — check if the process is a known crypto tool (libkcapi, cryptsetup, FIPS compliance tooling) or something unexpected.
  2. Identify the process and user that triggered the detection. Check @process.executable.path, @process.user, and @process.ancestors.
  3. For medium signals, look for correlated splice or privilege escalation activity on the same host within a short time window — this indicates a cross-process exploit variant.
  4. Determine if the host/container is running a kernel version vulnerable to CVE-2026-31431. Check @os.kernel for versions 6.12 or later without the fix (commit a664bf3d603d).
  5. Isolate the affected host or terminate the container immediately — the exploit reliably grants root.
  6. Check for post-exploitation activity: new processes spawned as root, lateral movement, persistence mechanisms.
  7. Apply the kernel patch or disable the algif_aead module as a mitigation: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf.
  8. Investigate whether other hosts in the fleet are running vulnerable kernels and prioritize patching.

Requires Agent version 7.68 or greater.