---
title: CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > CVE-2026-31431 Copy Fail AF_ALG splice
  exploitation detected
---

# CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1068-exploitation-for-privilege-escalation](https://attack.mitre.org/techniques/T1068) 
## Goal{% #goal %}

Detect exploitation of CVE-2026-31431 (Copy Fail), a Linux kernel page cache corruption vulnerability that enables local privilege escalation and container escape.

## Strategy{% #strategy %}

This rule uses a three-stage Agent-side chain to detect the CVE-2026-31431 exploit sequence within a single process:

1. **Stage 0 (bind):** An unprivileged process binds an `AF_ALG` socket — arms the chain.
1. **Stage 1 (setsockopt):** The same process calls `setsockopt` with `SOL_ALG` (level 279) on the `AF_ALG` socket — advances to stage 2.
1. **Stage 2 (splice):** The same process splices from a setuid binary (`/usr/bin/su` or `/bin/su`) — fires the detection.

All three stages must occur in the same process within 30 seconds. A 60-second cooldown prevents duplicate signals from the same process.

The exploit uses the `authencesn` AEAD template to corrupt the page cache of setuid binaries entirely within kernel space, bypassing VFS protections. An attacker then executes the corrupted binary to gain root. Because the page cache is shared across mount namespaces, this is also a container escape primitive.

The container-specific case fires at critical severity when the exploit chain is detected inside a container, indicating a potential container escape attempt.

## Triage and response{% #triage-and-response %}

1. Identify the process and user that triggered the chain. Check `@process.executable.path`, `@process.user`, and `@process.ancestors`.
1. Determine if the host/container is running a kernel version vulnerable to CVE-2026-31431. Check `@os.kernel` for versions 6.12 or later without the fix (commit `a664bf3d603d`).
1. Isolate the affected host or terminate the container immediately — the exploit reliably grants root.
1. Check for post-exploitation activity: new processes spawned as root, lateral movement, persistence mechanisms.
1. Apply the kernel patch or disable the `algif_aead` module as a mitigation: `echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf`.
1. Investigate whether other hosts in the fleet are running vulnerable kernels and prioritize patching.

*Requires Agent version 7.68 or greater.*