Tools

Tools: CVE-2026-31431 CopyFail: fast Kubernetes mitigation while waiting for the patch

2026-05-01 0 views admin
Tools: CVE-2026-31431 CopyFail: fast Kubernetes mitigation while waiting for the patch

What is it?

The mitigation

Doing this at scale on Kubernetes

Install

Verify

Uninstall when the patch lands A critical Linux kernel LPE (Local Privilege Escalation) named CopyFail was disclosed yesterday. Any unprivileged user already on a machine — inside a container, a CI/CD runner, or a shared host — can escalate to root in seconds using the public PoC that dropped alongside the advisory. Ars Technica coverage CVE-2026-31431 is a logic bug in the Linux kernel's authencesn crypto template, exposed through the algif_aead AF_ALG socket interface. It affects every Linux kernel since ~2017 — including Amazon Linux 2023, Ubuntu 22.04, and Debian 12. "Local privilege escalation" sounds contained, but in 2026 "local" covers a lot of ground: every container on a shared Kubernetes node, every CI/CD job running untrusted code, every tenant on a shared host. A single unprivileged shell on any of those surfaces is enough. The upstream patch is merged but distro packages are still pending. While waiting, the fastest mitigation is simple: Running that command manually on each node is not realistic. I put together a DaemonSet that deploys the mitigation to every node in the cluster automatically. It runs as a privileged init container that: Once the init container finishes, only a minimal pause container remains — no lingering privileged process. The image is published to ghcr.io, multi-arch (amd64 + arm64). The chart is in the same repo. The CI pipeline pins the exact image SHA in values.yaml after every build. 👉 github.com/csepulveda/kernel-mitigations It's focused on EKS + Amazon Linux 2023 but the approach works on any Kubernetes cluster — the OS check in the script is the only AL-specific part. PRs welcome for other distributions or future CVEs. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ modprobe -r algif_aead 2>/dev/null || true echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif-aead.conf modprobe -r algif_aead 2>/dev/null || true echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif-aead.conf modprobe -r algif_aead 2>/dev/null || true echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif-aead.conf helm -weight: 500;">upgrade ---weight: 500;">install cve-2026-31431-mitigation \ https://github.com/csepulveda/kernel-mitigations/archive/refs/heads/main.tar.gz \ --namespace kube-system helm -weight: 500;">upgrade ---weight: 500;">install cve-2026-31431-mitigation \ https://github.com/csepulveda/kernel-mitigations/archive/refs/heads/main.tar.gz \ --namespace kube-system helm -weight: 500;">upgrade ---weight: 500;">install cve-2026-31431-mitigation \ https://github.com/csepulveda/kernel-mitigations/archive/refs/heads/main.tar.gz \ --namespace kube-system -weight: 500;">kubectl get pods -n kube-system -l app=cve-2026-31431-mitigation -o wide -weight: 500;">kubectl logs -n kube-system <pod-name> -c mitigate -weight: 500;">kubectl get pods -n kube-system -l app=cve-2026-31431-mitigation -o wide -weight: 500;">kubectl logs -n kube-system <pod-name> -c mitigate -weight: 500;">kubectl get pods -n kube-system -l app=cve-2026-31431-mitigation -o wide -weight: 500;">kubectl logs -n kube-system <pod-name> -c mitigate [mitigation] node=ip-x.x.x.x OS=Amazon Linux — proceeding [mitigation] algif_aead is not loaded on node=ip-x.x.x.x [mitigation] blacklist written: /host-modprobe-d/-weight: 500;">disable-algif-aead.conf on node=ip-x.x.x.x [mitigation] done on node=ip-x.x.x.x [mitigation] node=ip-x.x.x.x OS=Amazon Linux — proceeding [mitigation] algif_aead is not loaded on node=ip-x.x.x.x [mitigation] blacklist written: /host-modprobe-d/-weight: 500;">disable-algif-aead.conf on node=ip-x.x.x.x [mitigation] done on node=ip-x.x.x.x [mitigation] node=ip-x.x.x.x OS=Amazon Linux — proceeding [mitigation] algif_aead is not loaded on node=ip-x.x.x.x [mitigation] blacklist written: /host-modprobe-d/-weight: 500;">disable-algif-aead.conf on node=ip-x.x.x.x [mitigation] done on node=ip-x.x.x.x helm uninstall cve-2026-31431-mitigation -n kube-system helm uninstall cve-2026-31431-mitigation -n kube-system helm uninstall cve-2026-31431-mitigation -n kube-system - Unload algif_aead if it's currently loaded - Blacklist it so it cannot be reloaded - Verifies it's running on Amazon Linux (exits safely otherwise) - Unloads algif_aead if present and logs an ALERT if it was loaded - Writes the modprobe blacklist to the host filesystem

🏷️ Tags

toolsutilitiessecurity tools31431copyfailkubernetesmitigationwhilewaitingpatch

More from Tools

Tools: Research PoC to Redteam Toolkit: Hardening CVE-2026-31431 for Production Operations From (Update 2)

Tools: Research PoC to Redteam Toolkit: Hardening CVE-2026-31431 for Production Operations From (Update 2)

2026-05-01 0
Tools: 4 Linux Hardening Labs for Cybersecurity Engineers: Tmpfs, Ports, Boot, and UFW - 2025 Update

Tools: 4 Linux Hardening Labs for Cybersecurity Engineers: Tmpfs, Ports, Boot, and UFW - 2025 Update

2026-05-01 0
Tools: Landlock LSM: Der ultimative Schutz vor Root-Privilegien (2026)

Tools: Landlock LSM: Der ultimative Schutz vor Root-Privilegien (2026)

2026-05-01 0
Tools: Latest: How to Deploy Llama 3.2 with vLLM + Ray Distributed Inference on a $18/Month DigitalOcean GPU Droplet: Multi-GPU Scaling at 1/120th API Cost

Tools: Latest: How to Deploy Llama 3.2 with vLLM + Ray Distributed Inference on a $18/Month DigitalOcean GPU Droplet: Multi-GPU Scaling at 1/120th API Cost

2026-05-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views