vishvacyber/Detection-Tool-Kit-for-CVE-2026-31431

# copyfail-detect Detection toolkit for CVE-2026-31431 ("Copy Fail"), a Linux kernel local privilege escalation technique that corrupts page-cache data without changing the file on disk. ## Why This Exists Copy Fail can bypass traditional file integrity monitoring because the on-disk file is not modified. This repository provides layered detection using auditd, eBPF, page-cache comparison, Sigma rules, and responder documentation. The eBPF monitor is the highest-fidelity detector: it watches AF_ALG activity, extracts `authencesn` bind attempts, tracks suspicious `splice()` usage, and correlates those events into a high-confidence exploit-chain alert. ## Quick Start Check whether the risky kernel crypto surface is exposed: python3 check/is_vulnerable.py Apply the immediate mitigation: sudo bash mitigate/disable_algif_aead.sh Deploy auditd detection rules: sudo cp detect/auditd/copyfail.rules /etc/audit/rules.d/ sudo augenrules --load sudo ausearch -k copyfail_af_alg Run the real-time eBPF monitor: sudo python3 detect/ebpf/copyfail_monitor.py sudo python3 detect/ebpf/copyfail_monitor.py --json Check for page-cache tampering after suspected exploitation: sudo python3 detect/pagecache-check/pagecache_diff.py ## Detection Layers | Layer | What It Catches | When | Tool | |---|---|---|---| | eBPF monitor | AF_ALG, `authencesn`, `splice()`, exploit-chain correlation | During exploitation | bcc/bpftrace | | Auditd rules | AF_ALG socket creation, suspicious syscalls, sensitive file reads | During exploitation | auditd | | Page-cache diff | In-memory file data diverging from disk | After exploitation | Python | | Sigma rules | SIEM alerts from audit/syslog telemetry | During/after exploitation | SIEM | | IOC docs | Responder checklist and YARA rule | Investigation | docs | ## Repository Layout check/ Safe exposure and sentinel checks detect/auditd/ auditd rules and deployment notes detect/ebpf/ bcc and bpftrace real-time monitors detect/pagecache-check/ Page-cache vs disk comparison detect/sigma/ Sigma rules for SIEMs docs/ Detection, IOC, architecture, and forensics guides mitigate/ Local and Ansible mitigation helpers tests/ Syntax and unit tests ## Safety Notes The vulnerability checker only uses a temporary sentinel file and never targets system files. The page-cache diff tool is detective and may evict the corrupted page it is checking; preserve memory first if you need forensic evidence. ## References - Research and disclosure credit: Theori / Xint Code - Disclosure: https://copy.fail/ - Technical writeup: https://xint.io/blog/copy-fail-linux-distributions - CVE: CVE-2026-31431 - Kernel fix: commit `a664bf3d603d` - Theori PoC: https://github.com/theori-io/copy-fail-CVE-2026-31431 ## Acknowledgements Thanks to Theori and Xint Code for surfacing, analyzing, and responsibly disclosing Copy Fail. This repository builds on their public research so defenders can detect, mitigate, and investigate CVE-2026-31431 safely.