Detection toolkit for CVE-2026-31431 ("Copy Fail"), a Linux kernel local privilege escalation technique that corrupts page-cache data without changing the file on disk.
Copy Fail can bypass traditional file integrity monitoring because the on-disk file is not modified. This repository provides layered detection using auditd, eBPF, page-cache comparison, Sigma rules, and responder documentation.
The eBPF monitor is the highest-fidelity detector: it watches AF_ALG activity,
extracts authencesn bind attempts, tracks suspicious splice() usage, and
correlates those events into a high-confidence exploit-chain alert.
Check whether the risky kernel crypto surface is exposed:
python3 check/is_vulnerable.pyApply the immediate mitigation:
sudo bash mitigate/disable_algif_aead.shDeploy auditd detection rules:
sudo cp detect/auditd/copyfail.rules /etc/audit/rules.d/
sudo augenrules --load
sudo ausearch -k copyfail_af_algRun the real-time eBPF monitor:
sudo python3 detect/ebpf/copyfail_monitor.py
sudo python3 detect/ebpf/copyfail_monitor.py --jsonCheck for page-cache tampering after suspected exploitation:
sudo python3 detect/pagecache-check/pagecache_diff.py| Layer | What It Catches | When | Tool |
|---|---|---|---|
| eBPF monitor | AF_ALG, authencesn, splice(), exploit-chain correlation |
During exploitation | bcc/bpftrace |
| Auditd rules | AF_ALG socket creation, suspicious syscalls, sensitive file reads | During exploitation | auditd |
| Page-cache diff | In-memory file data diverging from disk | After exploitation | Python |
| Sigma rules | SIEM alerts from audit/syslog telemetry | During/after exploitation | SIEM |
| IOC docs | Responder checklist and YARA rule | Investigation | docs |
check/ Safe exposure and sentinel checks
detect/auditd/ auditd rules and deployment notes
detect/ebpf/ bcc and bpftrace real-time monitors
detect/pagecache-check/ Page-cache vs disk comparison
detect/sigma/ Sigma rules for SIEMs
docs/ Detection, IOC, architecture, and forensics guides
mitigate/ Local and Ansible mitigation helpers
tests/ Syntax and unit tests
The vulnerability checker only uses a temporary sentinel file and never targets system files. The page-cache diff tool is detective and may evict the corrupted page it is checking; preserve memory first if you need forensic evidence.
- Research and disclosure credit: Theori / Xint Code
- Disclosure: https://copy.fail/
- Technical writeup: https://xint.io/blog/copy-fail-linux-distributions
- CVE: CVE-2026-31431
- Kernel fix: commit
a664bf3d603d - Theori PoC: https://github.com/theori-io/copy-fail-CVE-2026-31431
Thanks to Theori and Xint Code for surfacing, analyzing, and responsibly disclosing Copy Fail. This repository builds on their public research so defenders can detect, mitigate, and investigate CVE-2026-31431 safely.