{"uuid": "90636451-232f-4fb0-ab9e-87051b5cb2aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/0xlane/99519eac7a5fea1992d7ba6a423a0707", "content": "# CVE-2026-31431 (Copy Fail) Detection Rules for auditd\n#\n# Install:\n#   sudo cp auditd-rules.conf /etc/audit/rules.d/copyfail.rules\n#   sudo augenrules --load\n#\n# Or apply temporarily:\n#   sudo auditctl -a always,exit -F arch=b64 -S socket -F a0=38 -k copyfail_af_alg\n#   sudo auditctl -a always,exit -F arch=b64 -S splice -k copyfail_splice\n#\n# Search logs:\n#   ausearch -k copyfail_af_alg\n#   ausearch -k copyfail_splice\n\n# Rule 1: Detect AF_ALG socket creation (family=38)\n# This is the primary indicator \u2014 AF_ALG has almost no legitimate use in containers\n-a always,exit -F arch=b64 -S socket -F a0=38 -k copyfail_af_alg\n\n# Rule 2: Detect splice syscall (secondary indicator, higher noise)\n# splice is used by nginx, sendfile, etc. \u2014 combine with Rule 1 for correlation\n-a always,exit -F arch=b64 -S splice -k copyfail_splice\n\n# Rule 3: Detect setsockopt on ALG sockets (additional context)\n# SOL_ALG=279, helps correlate with AF_ALG socket usage\n-a always,exit -F arch=b64 -S setsockopt -F a1=279 -k copyfail_algopt\n\n\n{\n  \"defaultAction\": \"SCMP_ACT_ALLOW\",\n  \"architectures\": [\"SCMP_ARCH_X86_64\", \"SCMP_ARCH_X86\", \"SCMP_ARCH_AARCH64\"],\n  \"syscalls\": [\n    {\n      \"names\": [\"socket\"],\n      \"action\": \"SCMP_ACT_ERRNO\",\n      \"errnoRet\": 1,\n      \"args\": [\n        {\n          \"index\": 0,\n          \"value\": 38,\n          \"valueTwo\": 0,\n          \"op\": \"SCMP_CMP_EQ\"\n        }\n      ],\n      \"comment\": \"Block AF_ALG (family=38) socket creation to prevent CVE-2026-31431\"\n    }\n  ]\n}\n\n\n#!/bin/bash\n# Test seccomp profile effectiveness against CVE-2026-31431\n#\n# Prerequisites:\n#   - Place block-af-alg.json in kubelet seccomp directory:\n#     Standard: /var/lib/kubelet/seccomp/block-af-alg.json\n#     k3s:      /var/lib/rancher/k3s/agent/seccomp/block-af-alg.json\n#   - Or for Docker: use --security-opt seccomp=block-af-alg.json\n#\n# Usage: ./test-seccomp.sh\n\nset -e\necho \"=== CVE-2026-31431 Seccomp Defense Verification ===\"\necho \"\"\n\n# Test 1: Default seccomp (should ALLOW AF_ALG)\necho \"[Test 1] Default seccomp profile (RuntimeDefault)...\"\ncat <<'EOF' | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n  name: test-default-seccomp\n  namespace: copyfail-lab\nspec:\n  securityContext:\n    seccompProfile:\n      type: RuntimeDefault\n  containers:\n  - name: test\n    image: python:3.11-slim\n    command: [\"python3\", \"-c\", \"import socket; s=socket.socket(38,5,0); print('[!] AF_ALG socket created \u2014 DEFAULT SECCOMP DOES NOT BLOCK')\"]\n  restartPolicy: Never\nEOF\n\nsleep 5\nkubectl logs -n copyfail-lab test-default-seccomp 2>/dev/null || true\nkubectl delete pod -n copyfail-lab test-default-seccomp --force 2>/dev/null || true\necho \"\"\n\n# Test 2: Custom seccomp blocking AF_ALG (should DENY)\necho \"[Test 2] Custom seccomp profile (block-af-alg)...\"\ncat <<'EOF' | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n  name: test-block-seccomp\n  namespace: copyfail-lab\nspec:\n  securityContext:\n    seccompProfile:\n      type: Localhost\n      localhostProfile: block-af-alg.json\n  containers:\n  - name: test\n    image: python:3.11-slim\n    command: [\"python3\", \"-c\", \"\nimport socket\ntry:\n    s = socket.socket(38, 5, 0)\n    print('[!] FAIL: AF_ALG socket created despite seccomp')\nexcept PermissionError as e:\n    print(f'[+] SUCCESS: AF_ALG blocked \u2014 {e}')\nexcept OSError as e:\n    print(f'[+] SUCCESS: AF_ALG blocked \u2014 {e}')\n# Verify TCP still works\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)\nprint('[+] TCP socket OK \u2014 no side effects')\ns.close()\n\"]\n  restartPolicy: Never\nEOF\n\nsleep 5\nkubectl logs -n copyfail-lab test-block-seccomp 2>/dev/null || true\nkubectl delete pod -n copyfail-lab test-block-seccomp --force 2>/dev/null || true\necho \"\"\n\necho \"=== Docker equivalent ===\"\necho \"# Default (vulnerable):\"\necho \"docker run --rm python:3.11-slim python3 -c \\\"import socket; socket.socket(38,5,0); print('AF_ALG OK')\\\"\"\necho \"\"\necho \"# With custom seccomp (protected):\"\necho \"docker run --rm --security-opt seccomp=block-af-alg.json python:3.11-slim python3 -c \\\"import socket; socket.socket(38,5,0)\\\"\"\necho \"# Expected: PermissionError\"\n", "creation_timestamp": "2026-05-08T04:30:24.000000Z"}