Cloudflare responded to the "Copy Fail" Linux vulnerability
4 hours ago
- #Incident Response
- #Cloudflare Infrastructure
- #Linux Kernel Security
- Cloudflare successfully managed the 'Copy Fail' Linux kernel vulnerability (CVE-2026-31431) with no impact on customers or services.
- The exploit allowed unprivileged processes to modify page cache via AF_ALG and splice(), leading to privilege escalation by tainting setuid binaries like /usr/bin/su.
- Cloudflare's existing behavioral detection flagged the exploit pattern within minutes, providing coverage before any custom rules were written.
- A multi-team response included threat hunting, validation, and engineering a bpf-lsm mitigation to block AF_ALG socket binds for non-allow-listed binaries.
- Patched kernels were deployed via normal reboot automation, and bpf-lsm provided interim protection without requiring reboots.
- Key improvements identified include better kernel-API dependency visibility, enhanced runtime mitigation tools, and reducing kernel attack surface.