« Chroot Execution in Container Context on Linux Suspicious SUID Binary Execution »

› ›

Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket

Correlates a burst of non-root AF_ALG-class "socket", "splice", or "bound-socket" telemetry with a subsequent process execution where effective user is root but the login user remains non-root. This sequence matches common post-exploitation chains for Copy Fail (CVE-2026-31431) style abuse where AF_ALG and "splice" primitives precede executing a corrupted setuid binary from cache.

Rule type: eql

Rule indices:

auditbeat-*
logs-auditd_manager.auditd-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Use Case: Vulnerability
Tactic: Privilege Escalation
Data Source: Auditd Manager
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket

Copy Fail (CVE-2026-31431) abuses the Linux kernel authencesn AEAD path through AF_ALG and splice() to write four controlled bytes into the page cache of a readable file. Public exploitation targets setuid-root binaries such as /usr/bin/su, then executes the corrupted in-memory copy to gain root. The file on disk is not modified, so traditional on-disk integrity checks may miss the activity.

This sequence rule requires many (runs=10) non-root splice or AF_ALG-related socket events (auditd.data.a0 == "26") within 60 seconds, followed by an executed event where user.effective.id is root while user.id is still non-root. That ordering aligns with abusing AF_ALG/splice primitives and then running a setuid-root helper whose page cache was targeted.

Possible investigation steps

Review the grouped host.name, user.name, and process.name values in the alert, then inspect the original audit events for process.executable, process.command_line, process.pid, parent process details, working directory, and session or login context.
Determine whether the process is an interpreter or ad-hoc binary. Public proof-of-concept behavior may appear as a short Python script using standard library modules and calls such as socket.socket(38, 5, 0), authencesn, os.splice, or MSG_MORE.
Pivot on the same host, user, process name, and nearby timestamps for additional syscall activity from the same process tree, especially splice, sendmsg, recvmsg, or repeated socket activity.
Look for execution of setuid-root binaries shortly after the AF_ALG socket creation, including /usr/bin/su, /usr/bin/sudo, /usr/bin/passwd, /usr/bin/mount, /usr/bin/newgrp, /usr/bin/gpasswd, or /usr/bin/chfn.
Check for evidence of a UID transition to root from the same process tree, followed by root shell activity, persistence creation, credential access, or security control tampering.
Check container fields such as container.id and container.image.name. Because this primitive abuses the shared host page cache, container-originated activity should be treated as a possible node-compromise attempt.
Confirm the host kernel version and distribution advisory status. Prioritize hosts running vulnerable kernels or untrusted container workloads.

False positive analysis

Legitimate unprivileged AF_ALG consumers are rare, but some environments may use kernel crypto testing, disk encryption tooling, IPsec helpers, HSM integration software, or approved research systems.
Verify whether the process name and executable path are expected on the host. Confirm that the user identity, host role, and execution time align with documented administrative or testing activity.
If the activity is expected, add a narrow exception using stable values such as process.executable, user.id, and host.id rather than broad process-name-only exclusions.
Treat interpreter-driven AF_ALG use, activity from temporary directories, or AF_ALG use inside containers as suspicious unless there is a documented reason.

Response and remediation

Isolate the affected Linux host if unauthorized AF_ALG activity cannot be quickly ruled out. Treat confirmed exploitation as root compromise.
Terminate the alerting process and any suspicious child processes. Preserve memory, exploit scripts, shell history, temporary files, and relevant audit logs for forensic review.
Inspect setuid-root binaries that may have been targeted. Remember that the vulnerable write affects the page cache, not the on-disk file; normal file-integrity checks may not show the corrupted in-memory state.
Rebuild or reimage the host if successful privilege escalation cannot be ruled out. Rotate credentials, SSH keys, tokens, and secrets that were accessible to the affected user or any root shell spawned afterward.
Patch the kernel with the vendor fix for CVE-2026-31431. Until patched, consider blocking algif_aead module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.
For containerized environments, patch the underlying node kernel. Rebuilding container images does not remediate the host kernel vulnerability.

Setup

edit

Setup

This rule requires data coming in from one of the following integrations: - Auditbeat - Auditd Manager

Auditbeat Setup

Auditbeat is a lightweight shipper that you can install on your servers to audit user and process activity. It can collect and centralize events from the Linux Audit Framework.

The following steps should be executed in order to add Auditbeat on a Linux system:

Elastic provides repositories available for APT and YUM-based distributions. To install the repositories, follow the setup instructions in the helper guide.
For complete "Setup and Run Auditbeat" instructions, refer to the helper guide.
To run Auditbeat on Docker or Kubernetes, follow the relevant deployment guides in the Auditbeat documentation.

Auditd Manager Integration Setup

The Auditd Manager integration receives audit events from the Linux Audit Framework, which is part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon.

The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux system:

Go to the Kibana home page and click "Add integrations".
In the query bar, search for "Auditd Manager" and select the integration to see more details.
Click "Add Auditd Manager".
Configure the integration name and optionally add a description.
Review optional and advanced settings as needed.
Add the newly installed "auditd manager" integration to an existing or new agent policy, and deploy the agent on Linux systems where detection is desired.
Click "Save and Continue".
For more details on the integration, refer to the helper guide.

Rule Specific Setup Note

This detection relies on auditing one of the 3 event types socket or splice or bound-socket event. If your environment uses a minimal audit ruleset, add rules similar to the following in the integration’s "audit rules" configuration:

-a always,exit -F arch=b64 -S socket -k socket_syscall
-a always,exit -F arch=b32 -S socketcall -k socket_syscall
-a always,exit -F arch=b64 -S splice -k splice-syscall
-a always,exit -F arch=b32 -S splice -k splice-syscall
-a always,exit -F arch=b64 -S bind -k socket_bound
-a always,exit -F arch=b32 -S bind -k socket_bound

Rule query

edit

sequence with maxspan=60s
  [any where host.os.type == "linux" and
   (
    (event.category == "process" and auditd.data.syscall == "socket" and auditd.data.a0 == "26") or
    (event.category == "process" and auditd.data.syscall == "splice") or
    (event.category == "network" and event.action == "bound-socket" and data_stream.dataset == "auditd_manager.auditd" and ?auditd.data.socket.family == "38")
    )
   and user.id != "0"]  by process.pid, host.id, user.id with runs=10
  [process where host.os.type == "linux"  and event.action == "executed" and
   (
     (user.effective.id == "0" and user.id != "0") or
     (process.name in ("bash", "sh", "zsh", "dash", "fish", "ksh", "busybox") and
      process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh"))
    )] by process.parent.pid, host.id, user.id

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub-technique:
- Name: Setuid and Setgid
- ID: T1548.001
- Reference URL: https://attack.mitre.org/techniques/T1548/001/

« Chroot Execution in Container Context on Linux Suspicious SUID Binary Execution »