Validated container escape from a fully unprivileged pod to node-level code execution — now on Alibaba Cloud ACK, Amazon EKS, and Google GKE.
An unprivileged pod corrupts the page cache of shared image layers via CVE-2026-31431, weaponizing the privileged kube-proxy DaemonSet to execute attacker-supplied code with full node access. No capabilities, no hostPath, no privileged flag required on the attacker pod.
Highlights
- ☁️ GKE support — new payload with COS/Ubuntu device auto-detection for Google GKE nodes, validated on Container-Optimized OS (kernel 6.12.68) with read-only root filesystem and writable stateful partition
- 🎯 Three major cloud platforms — ACK, EKS, and GKE all confirmed vulnerable; the exploit generalizes to any managed Kubernetes with shared image layers and privileged DaemonSets
- 🛡️ Mitigation examples — added references to vArmor copy-fail-mitigation (AppArmor/BPF) and copyfail-ebpf-k8s (eBPF)
- 📦 Pre-built binaries — download
copyfail-linux-amd64(ACK/upstream),copyfail-eks-linux-amd64(EKS), orcopyfail-gke-linux-amd64(GKE) below
GKE-Specific Notes
- GKE kube-proxy uses a provider-managed Artifact Registry image; the PoC builds directly
FROMthe exact GKEkube-proxyimage tag to guarantee layer sharing - Container-Optimized OS mounts root read-only — the payload writes to
/mnt/stateful_partition/copyfail-resvia the writable/dev/sda1partition - Full walkthrough: docs/gke-poc.md
Full Changelog: v0.1.0...v0.2.0