CVE-2026-31431: Copy Fail vs. rootless containers
2 hours ago
- #privilege-escalation
- #CVE-2026-31431
- #rootless-containers
- CVE-2026-31431 ('Copy Fail') is a Linux kernel vulnerability that allows unprivileged users to overwrite the page cache of system binaries like /usr/bin/su via a flaw in the AF_ALG cryptographic socket, enabling privilege escalation.
- The exploit uses compressed shellcode embedded as a hex string in a Python script, which, when decompressed, reveals a malicious ELF executable that performs setuid(0) and execve('/bin/sh') to gain root access.
- Rootless containers (e.g., Podman with user namespaces) effectively mitigate the exploit by mapping container root (UID 0) to an unprivileged host user (e.g., UID 1000), preventing host-level privilege escalation despite the exploit succeeding inside the container.
- Analysis via strace and eBPF (bpftrace) shows the exploit mechanism involves AF_ALG socket operations and splice() calls to corrupt the page cache, while user namespace uid_map confirms the isolation by mapping container UIDs to non-privileged host UIDs.
- The vulnerability underscores the importance of rootless container architectures for security, as demonstrated in GitLab runners, and recommends enabling user namespace support in platforms like OpenShift to contain similar kernel LPEs.