← Back to Explore
elastichighTTP
Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket
Correlates a burst of non-root AF_ALG-class "socket", "splice", or "bound-socket" telemetry with a subsequent process execution where effective user is root but the login user remains non-root. This sequence matches common post-exploitation chains for Copy Fail (CVE-2026-31431) style abuse where AF_ALG and "splice" primitives precede executing a corrupted setuid binary from cache.
Detection Query
sequence with maxspan=60s
[any where host.os.type == "linux" and
(
(event.category == "process" and auditd.data.syscall == "socket" and auditd.data.a0 == "26") or
(event.category == "process" and auditd.data.syscall == "splice") or
(event.category == "network" and event.action == "bound-socket" and data_stream.dataset == "auditd_manager.auditd" and ?auditd.data.socket.family == "38")
)
and user.id != "0"] by process.pid, host.id, user.id with runs=10
[process where host.os.type == "linux" and event.action == "executed" and
(
(user.effective.id == "0" and user.id != "0") or
(process.name in ("bash", "sh", "zsh", "dash", "fish", "ksh", "busybox") and
process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh"))
)] by process.parent.pid, host.id, user.id
Author
Elastic
Created
2026/04/29
Data Sources
Auditd Managerauditbeat-*logs-auditd_manager.auditd-*
References
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionUse Case: VulnerabilityTactic: Privilege EscalationData Source: Auditd ManagerResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/29"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2026/04/29"
[rule]
author = ["Elastic"]
description = """
Correlates a burst of non-root AF_ALG-class "socket", "splice", or "bound-socket" telemetry with a subsequent process execution
where effective user is root but the login user remains non-root. This sequence matches common post-exploitation chains
for Copy Fail (CVE-2026-31431) style abuse where AF_ALG and "splice" primitives precede executing a corrupted setuid
binary from cache.
"""
false_positives = [
"""
Legitimate AF_ALG usage from unprivileged users is uncommon, but some kernel crypto tests, IPsec helpers, disk
encryption tooling, HSM integrations, or approved security research systems may exercise this interface. Verify the
process, user, and host role before adding an exception.
""",
]
from = "now-6m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket
Copy Fail (CVE-2026-31431) abuses the Linux kernel `authencesn` AEAD path through AF_ALG and `splice()` to write four controlled bytes into the page cache of a readable file. Public exploitation targets setuid-root binaries such as `/usr/bin/su`, then executes the corrupted in-memory copy to gain root. The file on disk is not modified, so traditional on-disk integrity checks may miss the activity.
This sequence rule requires many (`runs=10`) non-root `splice` or AF_ALG-related `socket` events (`auditd.data.a0 == "26"`)
within 60 seconds, followed by an `executed` event where `user.effective.id` is root while `user.id` is still non-root.
That ordering aligns with abusing AF_ALG/`splice` primitives and then running a setuid-root helper whose page cache was
targeted.
### Possible investigation steps
- Review the grouped `host.name`, `user.name`, and `process.name` values in the alert, then inspect the original audit events for `process.executable`, `process.command_line`, `process.pid`, parent process details, working directory, and session or login context.
- Determine whether the process is an interpreter or ad-hoc binary. Public proof-of-concept behavior may appear as a short Python script using standard library modules and calls such as `socket.socket(38, 5, 0)`, `authencesn`, `os.splice`, or `MSG_MORE`.
- Pivot on the same host, user, process name, and nearby timestamps for additional syscall activity from the same process tree, especially `splice`, `sendmsg`, `recvmsg`, or repeated `socket` activity.
- Look for execution of setuid-root binaries shortly after the AF_ALG socket creation, including `/usr/bin/su`, `/usr/bin/sudo`, `/usr/bin/passwd`, `/usr/bin/mount`, `/usr/bin/newgrp`, `/usr/bin/gpasswd`, or `/usr/bin/chfn`.
- Check for evidence of a UID transition to root from the same process tree, followed by root shell activity, persistence creation, credential access, or security control tampering.
- Check container fields such as `container.id` and `container.image.name`. Because this primitive abuses the shared host page cache, container-originated activity should be treated as a possible node-compromise attempt.
- Confirm the host kernel version and distribution advisory status. Prioritize hosts running vulnerable kernels or untrusted container workloads.
### False positive analysis
- Legitimate unprivileged AF_ALG consumers are rare, but some environments may use kernel crypto testing, disk encryption tooling, IPsec helpers, HSM integration software, or approved research systems.
- Verify whether the process name and executable path are expected on the host. Confirm that the user identity, host role, and execution time align with documented administrative or testing activity.
- If the activity is expected, add a narrow exception using stable values such as `process.executable`, `user.id`, and `host.id` rather than broad process-name-only exclusions.
- Treat interpreter-driven AF_ALG use, activity from temporary directories, or AF_ALG use inside containers as suspicious unless there is a documented reason.
### Response and remediation
- Isolate the affected Linux host if unauthorized AF_ALG activity cannot be quickly ruled out. Treat confirmed exploitation as root compromise.
- Terminate the alerting process and any suspicious child processes. Preserve memory, exploit scripts, shell history, temporary files, and relevant audit logs for forensic review.
- Inspect setuid-root binaries that may have been targeted. Remember that the vulnerable write affects the page cache, not the on-disk file; normal file-integrity checks may not show the corrupted in-memory state.
- Rebuild or reimage the host if successful privilege escalation cannot be ruled out. Rotate credentials, SSH keys, tokens, and secrets that were accessible to the affected user or any root shell spawned afterward.
- Patch the kernel with the vendor fix for CVE-2026-31431. Until patched, consider blocking `algif_aead` module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.
- For containerized environments, patch the underlying node kernel. Rebuilding container images does not remediate the host kernel vulnerability.
"""
references = [
"https://xint.io/blog/copy-fail-linux-distributions",
"https://nvd.nist.gov/vuln/detail/CVE-2026-31431",
"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d",
"https://www.kernel.org/doc/html/latest/crypto/userspace-if.html",
]
risk_score = 73
rule_id = "1c28becc-ec0b-4e6d-81a5-899d00348089"
setup = """## Setup
This rule requires data coming in from one of the following integrations:
- Auditbeat
- Auditd Manager
### Auditbeat Setup
Auditbeat is a lightweight shipper that you can install on your servers to audit user and process activity. It can collect and centralize events from the Linux Audit Framework.
#### The following steps should be executed in order to add Auditbeat on a Linux system:
- Elastic provides repositories available for APT and YUM-based distributions. To install the repositories, follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
- For complete "Setup and Run Auditbeat" instructions, refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
- To run Auditbeat on Docker or Kubernetes, follow the relevant deployment guides in the Auditbeat documentation.
### Auditd Manager Integration Setup
The Auditd Manager integration receives audit events from the Linux Audit Framework, which is part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon.
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux system:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Auditd Manager" and select the integration to see more details.
- Click "Add Auditd Manager".
- Configure the integration name and optionally add a description.
- Review optional and advanced settings as needed.
- Add the newly installed "auditd manager" integration to an existing or new agent policy, and deploy the agent on Linux systems where detection is desired.
- Click "Save and Continue".
- For more details on the integration, refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
#### Rule Specific Setup Note
This detection relies on auditing one of the 3 event types `socket` or `splice` or `bound-socket` event. If your environment uses a minimal audit ruleset, add rules similar to the following
in the integration's "audit rules" configuration:
```
-a always,exit -F arch=b64 -S socket -k socket_syscall
-a always,exit -F arch=b32 -S socketcall -k socket_syscall
-a always,exit -F arch=b64 -S splice -k splice-syscall
-a always,exit -F arch=b32 -S splice -k splice-syscall
-a always,exit -F arch=b64 -S bind -k socket_bound
-a always,exit -F arch=b32 -S bind -k socket_bound
```
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Use Case: Vulnerability",
"Tactic: Privilege Escalation",
"Data Source: Auditd Manager",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sequence with maxspan=60s
[any where host.os.type == "linux" and
(
(event.category == "process" and auditd.data.syscall == "socket" and auditd.data.a0 == "26") or
(event.category == "process" and auditd.data.syscall == "splice") or
(event.category == "network" and event.action == "bound-socket" and data_stream.dataset == "auditd_manager.auditd" and ?auditd.data.socket.family == "38")
)
and user.id != "0"] by process.pid, host.id, user.id with runs=10
[process where host.os.type == "linux" and event.action == "executed" and
(
(user.effective.id == "0" and user.id != "0") or
(process.name in ("bash", "sh", "zsh", "dash", "fish", "ksh", "busybox") and
process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh"))
)] by process.parent.pid, host.id, user.id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"