From 5075923f81c6f80657f2d5d17bf21e927da3622c Mon Sep 17 00:00:00 2001 From: Tejas Nikam Date: Sun, 7 Jun 2026 00:22:27 -0700 Subject: [PATCH] feat: add detection rules for CVE-2026-31431 (CopyFail) Adds three auditd-based Sigma rules covering the AF_ALG/algif_aead Linux kernel LPE chain: AF_ALG socket creation outside the disk-encryption toolchain, explicit load of the algif_aead module, and splice() against setuid binary paths. Rule 3 (splice) validated against live auditd telemetry on Amazon Linux 2023; description and logsource.definition updated to document the PATH/SYSCALL stitching requirement that the live data confirmed. --- ...d_exploit_cve_2026_31431_af_alg_socket.yml | 54 +++++++++++++ ..._cve_2026_31431_algif_aead_module_load.yml | 45 +++++++++++ ...xploit_cve_2026_31431_splice_to_af_alg.yml | 77 +++++++++++++++++++ 3 files changed, 176 insertions(+) create mode 100644 rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket.yml create mode 100644 rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_algif_aead_module_load.yml create mode 100644 rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_splice_to_af_alg.yml diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket.yml new file mode 100644 index 00000000000..8d97d205728 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket.yml @@ -0,0 +1,54 @@ +title: AF_ALG Crypto Socket Creation Outside Disk-Encryption Toolchain - Potential CVE-2026-31431 Exploitation +id: 9d4d2f2d-3a8e-4b91-b0c6-1f0a5a8b9c01 +status: experimental +description: | + Detects creation of an AF_ALG (kernel userspace crypto API) socket by a process that is not part of the + well-known disk-encryption / kernel-crypto-API toolchain. + CVE-2026-31431 ("CopyFail") is a Linux kernel local privilege escalation in the algif_aead module that + requires the attacker to open an AF_ALG SEQPACKET socket as its first step. Outside of cryptsetup, + systemd-cryptsetup, veritysetup, integritysetup, fscrypt and the kcapi-* tooling, AF_ALG sockets are + rarely seen in production workloads, so a socket() with domain=AF_ALG (38, 0x26) from any other binary + is a strong precursor indicator. +references: + - https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/ + - https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability + - https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds + - https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/ + - https://www.openwall.com/lists/oss-security/2026/04/29/23 + - https://man7.org/linux/man-pages/man2/socket.2.html +author: Tejas Nikam +date: 2026-06-05 +tags: + - attack.privilege-escalation + - attack.t1068 + - cve.2026-31431 + - detection.emerging-threats +logsource: + product: linux + service: auditd + definition: | + Required auditd configuration (AF_ALG socket family = 38 = 0x26): + -a always,exit -F arch=b64 -S socket -F a0=0x26 -k af_alg + -a always,exit -F arch=b32 -S socketcall -F a0=0x26 -k af_alg +detection: + selection: + type: 'SYSCALL' + SYSCALL: 'socket' + a0: 26 # AF_ALG (38 decimal, 0x26 hex) + filter_main_crypto_tooling: + exe|endswith: + - '/cryptsetup' + - '/systemd-cryptsetup' + - '/veritysetup' + - '/integritysetup' + - '/fscrypt' + - '/e4crypt' + - '/kcapi-enc' + - '/kcapi-dgst' + - '/kcapi-rng' + - '/kcapi-sym' + condition: selection and not 1 of filter_main_* +falsepositives: + - Custom applications that intentionally use the Linux kernel userspace crypto API (AF_ALG) for hardware-accelerated crypto - confirm the binary and tune the allowlist + - Container or VM images shipping additional disk-encryption or kernel-crypto helper binaries not listed in the allowlist +level: medium diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_algif_aead_module_load.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_algif_aead_module_load.yml new file mode 100644 index 00000000000..ca4219d8407 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_algif_aead_module_load.yml @@ -0,0 +1,45 @@ +title: algif_aead Kernel Module Load - Potential CVE-2026-31431 Pre-Exploitation +id: 8c70c8a2-1c7e-4e22-b3a5-9e0d2f4a6c12 +status: experimental +description: | + Detects an explicit load of the algif_aead kernel module (the userspace AEAD crypto interface). + CVE-2026-31431 ("CopyFail") exploits a logic flaw in algif_aead to perform a controlled 4-byte + write into the page cache of any readable file, typically corrupting the in-memory copy of a + setuid binary such as /usr/bin/su to gain root. + The module is autoloaded on demand by AF_ALG socket creation, but is rarely needed on production + servers (it is typically only used by cryptsetup, fscrypt and a handful of kcapi-* tools), so an + explicit modprobe / insmod / kmod load of algif_aead by anything other than the disk-encryption + toolchain or a known config-management process tree is a strong precursor signal. +references: + - https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/ + - https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability + - https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds + - https://www.secwest.net/copyfail-mitigation + - https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available +author: Tejas Nikam +date: 2026-06-05 +tags: + - attack.privilege-escalation + - attack.t1068 + - cve.2026-31431 + - detection.emerging-threats +logsource: + product: linux + service: auditd +detection: + selection_modprobe: + type: 'EXECVE' + a0|endswith: + - 'modprobe' + - 'insmod' + - 'kmod' + selection_module_arg: + - a1|contains: 'algif_aead' + - a2|contains: 'algif_aead' + - a3|contains: 'algif_aead' + condition: selection_modprobe and selection_module_arg +falsepositives: + - Initial boot of hosts running full-disk encryption (cryptsetup) - the module will be autoloaded but typically without an explicit modprobe in EXECVE + - Configuration management (Ansible, Puppet, Chef, cloud-init) loading kernel modules from a managed allowlist - filter on auid / parent process if needed + - Storage or backup tooling that ships its own kernel-crypto helpers +level: medium diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_splice_to_af_alg.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_splice_to_af_alg.yml new file mode 100644 index 00000000000..79999583e84 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/CVE-2026-31431/lnx_auditd_exploit_cve_2026_31431_splice_to_af_alg.yml @@ -0,0 +1,77 @@ +title: Splice Syscall Accessing Setuid Binary Path - Potential CVE-2026-31431 Exploitation +id: 7a4f8b1d-2c9a-4f0e-9b27-6c1e3a5d8f23 +status: experimental +description: | + Detects a splice() syscall paired with an auditd PATH record pointing at a privileged setuid binary + (su, sudo, mount, passwd, newgrp, chsh, chfn, gpasswd) by a non-root caller. + This is the late-stage signature of CVE-2026-31431 ("CopyFail") exploitation: after creating an + AF_ALG socket and triggering the algif_aead scatter/gather bug, the exploit uses splice() to drive + a 4-byte overwrite into the page cache backing a setuid binary. The on-disk file is never modified, + so file-integrity monitors that hash the file from disk will miss the compromise - splice() against + a privileged binary by an unprivileged process is the durable detection signal. + Verified against live auditd telemetry on Amazon Linux 2023: the splice() syscall emits a SYSCALL + record with no associated PATH record (items=0) because splice operates on file descriptors, while + the preceding open()/openat() that obtained the fd emits the PATH record on a separate audit message + with the same correlation ID. This rule therefore requires an ingest pipeline that joins PATH records + to their parent SYSCALL (auparse, auditbeat, Wazuh, falco) - see logsource.definition. +references: + - https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/ + - https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds + - https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability + - https://xint.io/blog/copy-fail-linux-distributions + - https://man7.org/linux/man-pages/man2/splice.2.html +author: Tejas Nikam +date: 2026-06-05 +modified: 2026-06-08 +tags: + - attack.privilege-escalation + - attack.t1068 + - cve.2026-31431 + - detection.emerging-threats +logsource: + product: linux + service: auditd + definition: | + Required auditd configuration: + -a always,exit -F arch=b64 -S splice -F auid!=0 -F auid!=-1 -k copyfail_splice + -a always,exit -F arch=b32 -S splice -F auid!=0 -F auid!=-1 -k copyfail_splice + + Required ingest pipeline: + Linux audit emits the splice() SYSCALL record and the PATH record of the underlying file as + two separate audit messages joined only by their msg=audit(timestamp:serial) correlation ID + (the splice SYSCALL record itself has items=0 because splice operates on file descriptors). + This rule's selection_target_path matches the PATH record produced by the preceding + open()/openat() of the setuid binary; selection_syscall matches the splice() SYSCALL record. + Both must be joined for the condition to fire, which happens automatically in auparse, + Elastic auditbeat, Wazuh, and Falco's audit plugin. Raw line-by-line audit.log ingestion + will not match this rule - either route audit events through one of those tools, or use an + equivalent backend-side correlation by msg ID / pid. +detection: + selection_syscall: + type: 'SYSCALL' + SYSCALL: 'splice' + selection_target_path: + type: 'PATH' + name: + - '/usr/bin/su' + - '/bin/su' + - '/usr/bin/sudo' + - '/bin/sudo' + - '/usr/bin/mount' + - '/bin/mount' + - '/usr/bin/umount' + - '/bin/umount' + - '/usr/bin/passwd' + - '/usr/bin/newgrp' + - '/usr/bin/chsh' + - '/usr/bin/chfn' + - '/usr/bin/gpasswd' + - '/usr/bin/pkexec' + filter_main_root_caller: + auid: 0 + condition: selection_syscall and selection_target_path and not 1 of filter_main_* +falsepositives: + - Backup, antivirus or file-integrity tooling that uses splice() to read privileged binaries - identify the binary via the exe field and tune + - Container runtimes copying setuid helpers during image build (uncommon outside of build hosts) + - Silent non-match (no alert at all) when the ingest pipeline does not stitch PATH records onto their parent SYSCALL record - see logsource.definition +level: high