A newly disclosed kernel flaw (CVE‑2026‑31431, 'Copy Fail') uses AF_ALG sockets and splice to overwrite bytes in the kernel page cache so that a running setuid binary is altered in memory without touching the on‑disk file. That lets an unprivileged local user escalate to root reliably and can cross container boundaries because page cache is shared, making detection by standard file‑integrity checks ineffective.
— This exposes a class of in‑memory, stealth privilege‑escalation attacks that force changes in incident detection, kernel hardening, container isolation, and cloud patch priorities.
BeauHD
2026.04.30
100% relevant
The article cites the Copy Fail exploit (CVE‑2026‑31431), a 732‑byte proof‑of‑concept that overwrites /usr/bin/su's page‑cache bytes via AF_ALG+splice and notes kernels since 2017 are affected and the primitive can leak across containers.
← Back to All Ideas