---
title: CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > CVE-2026-31431 Copy Fail AF_ALG splice
  exploitation detected
---

# CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1068-exploitation-for-privilege-escalation](https://attack.mitre.org/techniques/T1068) 
## Goal{% #goal %}

Detect exploitation of CVE-2026-31431 (Copy Fail), a Linux kernel page cache corruption vulnerability that enables local privilege escalation and container escape.

## Strategy{% #strategy %}

This rule combines chain-based and standalone detections at multiple severity tiers to balance high-confidence signals with broader coverage against evasion variants.

### Critical — Chained splice (high confidence){% #critical--chained-splice-high-confidence %}

A three-stage Agent-side chain detects the full exploit sequence within a single process:

1. **Stage 0 (bind):** An unprivileged process binds an `AF_ALG` socket — arms the chain.
1. **Stage 1 (setsockopt):** The same process calls `setsockopt` with `SOL_ALG` (level 279) on the `AF_ALG` socket — advances to stage 2.
1. **Stage 2 (detection):** The process splices from any setuid binary (`splice.file.mode & S_ISUID`).

### High — Chained open + catch-all splice{% #high--chained-open--catch-all-splice %}

- **Open path:** The process opens a system binary or PAM configuration read-only after chain reaches stage 2, covering targets like `/etc/pam.d/*` for authentication bypass.
- **Catch-all splice:** The process splices any root-owned file (`splice.file.uid == 0`) after chain stage 2. Broader than the S_ISUID check for variants which can target non-setuid root-owned files.

### Medium — Standalone AF_ALG bind (lower confidence){% #medium--standalone-af_alg-bind-lower-confidence %}

Any successful unprivileged `bind(AF_ALG)` fires at medium severity with **no chain dependency**. This catches variants that split the exploit across multiple processes (e.g., fork after bind, fd passing via `SCM_RIGHTS`, separate bind/splice tools) which evade the process-scoped chain.

`AF_ALG` usage by non-root processes is uncommon — the kernel crypto API is primarily used by `dm-crypt`, `cryptsetup`, and `libkcapi`, all of which typically run as root. False positives are possible from FIPS compliance tools or crypto benchmarks running as non-root.

All chain stages must occur in the same process within 30 seconds. A 60-second cooldown prevents duplicate signals from the same process.

The exploit uses the `authencesn` AEAD template to corrupt the page cache of setuid binaries or PAM configurations entirely within kernel space. An attacker then executes the corrupted binary to gain root or bypasses authentication.

Container-specific cases are included for all detection paths.

## Triage and response{% #triage-and-response %}

1. **Check severity tier.** Critical signals indicate a high-confidence exploit chain completed. Medium signals (standalone bind) require further investigation — check if the process is a known crypto tool (`libkcapi`, `cryptsetup`, FIPS compliance tooling) or something unexpected.
1. Identify the process and user that triggered the detection. Check `@process.executable.path`, `@process.user`, and `@process.ancestors`.
1. For medium signals, look for correlated splice or privilege escalation activity on the same host within a short time window — this indicates a cross-process exploit variant.
1. Determine if the host/container is running a kernel version vulnerable to CVE-2026-31431. Check `@os.kernel` for versions 6.12 or later without the fix (commit `a664bf3d603d`).
1. Isolate the affected host or terminate the container immediately — the exploit reliably grants root.
1. Check for post-exploitation activity: new processes spawned as root, lateral movement, persistence mechanisms.
1. Apply the kernel patch or disable the `algif_aead` module as a mitigation: `echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf`.
1. Investigate whether other hosts in the fleet are running vulnerable kernels and prioritize patching.

*Requires Agent version 7.68 or greater.*