[OOTB] CopyFail (CVE-2026-31431) package - ENG
<html lang="en">
<body>
  
  <p>
		Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.<br>
		To detect the exploit using a SIEM system and auditd events, the following recommendations are provided:
		<ul>
			<li>Detection of binary files reading (syscall: openat) with the suid bit (su, sudo, newgrp, passwd, gpasswd, chfn, mount, umount, fusermount, fusermount3, chsh — the list may be expanded) on behalf of a process not from /usr/bin, /bin, or on behalf of Python.</li>
			<li>Detection of the splice data transfer function (syscall: splice) between file descriptors after reading of a binary file with the suid bit (see above) by a non-root user.</li>
			<li>Detection based on characteristic command lines (syscall: execve), where the command line is sh -c -- su — example for /usr/bin/su.</li>
			<li>Detection of socket creation with the SOCK_STREAM=AF_ALG parameter (syscall: socket), where the argument is a0=26.</li>
		</ul>
  </p>

</body>
</html>