A critical Linux kernel LPE (Local Privilege Escalation) named CopyFail was disclosed yesterday. Any unprivileged user already on a machine — inside a container, a CI/CD runner, or a shared host — can escalate to root in seconds using the public PoC that dropped alongside the advisory.
What is it?
CVE-2026-31431 is a logic bug in the Linux kernel's authencesn crypto template, exposed through the algif_aead AF_ALG socket interface. It affects every Linux kernel since ~2017 — including Amazon Linux 2023, Ubuntu 22.04, and Debian 12.
"Local privilege escalation" sounds contained, but in 2026 "local" covers a lot of ground: every container on a shared Kubernetes node, every CI/CD job running untrusted code, every tenant on a shared host. A single unprivileged shell on any of those surfaces is enough.
The mitigation
The upstream patch is merged but distro packages are still pending. While waiting, the fastest mitigation is simple:
- Unload
algif_aeadif it's currently loaded - Blacklist it so it cannot be reloaded
modprobe -r algif_aead 2>/dev/null || true
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
Doing this at scale on Kubernetes
Running that command manually on each node is not realistic. I put together a DaemonSet that deploys the mitigation to every node in the cluster automatically.
It runs as a privileged init container that:
- Verifies it's running on Amazon Linux (exits safely otherwise)
- Unloads
algif_aeadif present and logs anALERTif it was loaded - Writes the modprobe blacklist to the host filesystem
Once the init container finishes, only a minimal pause container remains — no lingering privileged process.
Install
helm upgrade --install cve-2026-31431-mitigation \
https://github.com/csepulveda/kernel-mitigations/archive/refs/heads/main.tar.gz \
--namespace kube-system
Verify
kubectl get pods -n kube-system -l app=cve-2026-31431-mitigation -o wide
kubectl logs -n kube-system <pod-name> -c mitigate
Expected output:
[mitigation] node=ip-x.x.x.x OS=Amazon Linux — proceeding
[mitigation] algif_aead is not loaded on node=ip-x.x.x.x
[mitigation] blacklist written: /host-modprobe-d/disable-algif-aead.conf on node=ip-x.x.x.x
[mitigation] done on node=ip-x.x.x.x
Uninstall when the patch lands
helm uninstall cve-2026-31431-mitigation -n kube-system
Repo
The image is published to ghcr.io, multi-arch (amd64 + arm64). The chart is in the same repo. The CI pipeline pins the exact image SHA in values.yaml after every build.
👉 github.com/csepulveda/kernel-mitigations
It's focused on EKS + Amazon Linux 2023 but the approach works on any Kubernetes cluster — the OS check in the script is the only AL-specific part. PRs welcome for other distributions or future CVEs.
Top comments (0)