GitHub - kadir/copy-fail-CVE-2026-31431-IOC: Detection, mitigation, and IOC toolkit for Copy Fail CVE-2026-31431 Linux kernel page-cache privilege escalation

copyfail-detect

Detection toolkit for CVE-2026-31431 ("Copy Fail"), a Linux kernel local privilege escalation technique that corrupts page-cache data without changing the file on disk.

Why This Exists

Copy Fail can bypass traditional file integrity monitoring because the on-disk file is not modified. This repository provides layered detection using auditd, eBPF, page-cache comparison, Sigma rules, and responder documentation.

The eBPF monitor is the highest-fidelity detector: it watches AF_ALG activity, extracts authencesn bind attempts, tracks suspicious splice() usage, and correlates those events into a high-confidence exploit-chain alert.

Quick Start

Check whether the risky kernel crypto surface is exposed:

python3 check/is_vulnerable.py

Apply the immediate mitigation:

sudo bash mitigate/disable_algif_aead.sh

Deploy auditd detection rules:

sudo cp detect/auditd/copyfail.rules /etc/audit/rules.d/
sudo augenrules --load
sudo ausearch -k copyfail_af_alg

Run the real-time eBPF monitor:

sudo python3 detect/ebpf/copyfail_monitor.py
sudo python3 detect/ebpf/copyfail_monitor.py --json

Check for page-cache tampering after suspected exploitation:

sudo python3 detect/pagecache-check/pagecache_diff.py

Detection Layers

Layer	What It Catches	When	Tool
eBPF monitor	AF_ALG, `authencesn`, `splice()`, exploit-chain correlation	During exploitation	bcc/bpftrace
Auditd rules	AF_ALG socket creation, suspicious syscalls, sensitive file reads	During exploitation	auditd
Page-cache diff	In-memory file data diverging from disk	After exploitation	Python
Sigma rules	SIEM alerts from audit/syslog telemetry	During/after exploitation	SIEM
IOC docs	Responder checklist and YARA rule	Investigation	docs

Repository Layout

check/                  Safe exposure and sentinel checks
detect/auditd/          auditd rules and deployment notes
detect/ebpf/            bcc and bpftrace real-time monitors
detect/pagecache-check/ Page-cache vs disk comparison
detect/sigma/           Sigma rules for SIEMs
docs/                   Detection, IOC, architecture, and forensics guides
mitigate/               Local and Ansible mitigation helpers
tests/                  Syntax and unit tests

Safety Notes

The vulnerability checker only uses a temporary sentinel file and never targets system files. The page-cache diff tool is detective and may evict the corrupted page it is checking; preserve memory first if you need forensic evidence.

References

Research and disclosure credit: Theori / Xint Code
Disclosure: https://copy.fail/
Technical writeup: https://xint.io/blog/copy-fail-linux-distributions
CVE: CVE-2026-31431
Kernel fix: commit a664bf3d603d
Theori PoC: https://github.com/theori-io/copy-fail-CVE-2026-31431

Acknowledgements

Thanks to Theori and Xint Code for surfacing, analyzing, and responsibly disclosing Copy Fail. This repository builds on their public research so defenders can detect, mitigate, and investigate CVE-2026-31431 safely.