This issue has been assessed as high severity. Review affected configurations immediately.
Overview
CVE-2026-31431, nicknamed “Copy Fail,” is a local privilege escalation vulnerability in the Linux kernel’s algif_aead module — the AF_ALG socket interface used to expose in-kernel cryptographic operations to userspace. The bug sits at the interaction between AF_ALG sockets and splice(): when a process splices data into an AEAD-mode AF_ALG socket under specific timing conditions, a reference-count error allows a 4-byte write into an attacker-controlled offset within a kernel page cache page. Exploited correctly, this yields kernel code execution and full root on the host node.
CERT-EU issued advisory CERT-EU 2026-005 in late June 2026 flagging the vulnerability as actively targeted in cloud-hosted Kubernetes environments. IBM Cloud Kubernetes Service versions 1.32 through 1.35 were confirmed affected. CVSS 3.1 base score: 7.8 (High) — Local attack vector, Low privileges required, No user interaction, High impact across confidentiality, integrity, and availability.
Technical Detail
The algif_aead module provides an AF_ALG socket type that lets userspace request AEAD (Authenticated Encryption with Associated Data) operations via sendmsg()/recvmsg(). The vulnerability arises when splice() is used instead of sendmsg() to feed data into the socket.
During a splice operation into an AEAD socket, the kernel must track page references for the splice pipe buffer. A race condition in the reference cleanup path causes a page reference to be decremented one time too many, eventually making a page cache page appear unreferenced while still mapped into userspace. An attacker who wins this race can then write 4 bytes to a kernel-managed page while the kernel treats the page as free, overlapping with kernel data structures in the page cache.
The exploit chain in public PoC code (circulating since June 28, 2026) uses this primitive to overwrite a cred struct in the page cache, elevating the calling process to uid=0.
Conditions for exploitation:
- Attacker must have an unprivileged shell on the node or inside a container with
CAP_NET_ADMIN— or a container with access to/dev/cryptowhere the kernel module is loaded - Kernel must have
algif_aeadloaded (auto-loads on most distributions when AF_ALG sockets are used) - Exploit is timing-sensitive but reliable on single-core and multi-core nodes with the right CPU pinning
Affected kernel versions: 5.10 through 6.8 (mainline fix landed in 6.9-rc2). Most Kubernetes node images shipping kernels in this range are exposed.
Cloud Kubernetes Impact
IBM Cloud Kubernetes Service
IBM Cloud KS node pools running kernel images for versions 1.32, 1.33, 1.34, and 1.35 ship kernels in the vulnerable range. IBM has issued patched worker node images; the fix requires draining and replacing worker nodes, not just an in-place kernel update, due to how IBM KS provisions node images.
IBM Security Advisory: customers should update to the patched worker node image via ibmcloud ks worker replace or by triggering a node pool update through the IBM Cloud console.
Kubernetes-Specific Risk Amplifier
In Kubernetes deployments, this vulnerability is more dangerous than a standard LPE because:
- Container escape path: An attacker who achieves initial code execution inside a container — via application RCE, supply chain compromise, or a misconfigured pod — can use CVE-2026-31431 to escape to the host node. This bypasses namespace and seccomp boundaries.
- Node-to-cluster lateral movement: From root on a node, an attacker can access node-local kubeconfig or service account tokens mounted into pods, pivot to the Kubernetes API server, and potentially compromise the entire cluster depending on RBAC configuration.
- Privileged pod bypass: Even workloads running without
privileged: trueare exposed if the kernel module loads and the splice path is accessible from the container network stack.
Affected Configurations
| Platform | Affected Versions | Patch Status |
|---|---|---|
| IBM Cloud Kubernetes Service | 1.32.x — 1.35.x | Patched worker node images available |
| Self-managed clusters (Ubuntu 22.04) | Kernel < 6.9 | Ubuntu HWE kernel 6.8 patch backported |
| Self-managed clusters (RHEL 9 / Rocky 9) | Kernel < 5.14.0-503 | RHSA-2026:4821 |
| Self-managed clusters (Amazon Linux 2023) | Kernel < 6.1.94 | AL2023 advisory ALAS2023-2026-651 |
| Google GKE | Node images updated June 26, 2026 | Auto-updated for Standard mode; Autopilot unaffected |
| Azure AKS | AKS node images updated June 27, 2026 | Requires node pool upgrade |
| EKS | AMI updated June 28, 2026 | Requires managed node group update |
Immediate Hardening Steps
1. Patch First
For IBM Cloud KS, replace worker nodes with patched images:
# List worker nodes in affected pool
ibmcloud ks workers --cluster <cluster-name>
# Replace each worker node (drains automatically)
ibmcloud ks worker replace --cluster <cluster-name> --worker <worker-id>
For self-managed clusters, update the kernel package and reboot:
# RHEL/Rocky 9
dnf update kernel -y && reboot
# Ubuntu 22.04 with HWE
apt-get update && apt-get install --only-upgrade linux-image-generic-hwe-22.04 -y && reboot
2. Unload algif_aead if Not Required
If your workloads do not use AEAD kernel crypto via AF_ALG sockets, unload the module:
# Check if loaded
lsmod | grep algif_aead
# Unload
rmmod algif_aead
# Prevent auto-load (add to module blacklist)
echo "blacklist algif_aead" >> /etc/modprobe.d/security-hardening.conf
3. Block Module Load via Kubernetes
Apply a DaemonSet or use your node configuration management to prevent the module from loading on all nodes:
apiVersion: v1
kind: ConfigMap
metadata:
name: kernel-module-blacklist
namespace: kube-system
data:
security-hardening.conf: |
blacklist algif_aead
blacklist algif_skcipher
4. Restrict AF_ALG Socket Access with Seccomp
Deploy a seccomp profile that blocks socket(AF_ALG, ...) calls for workloads that don’t require kernel crypto:
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": ["socket"],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 38,
"op": "SCMP_CMP_NE"
}
]
}
]
}
38 is AF_ALG on Linux. This allows all socket() calls except those targeting AF_ALG.
5. Enable Node-Level AppArmor / SELinux
Nodes running AppArmor or SELinux with enforcing policies significantly raise the bar for exploitation. Verify your node profile actively denies unexpected kernel module loads:
# AppArmor: check enforcement status
aa-status
# SELinux: verify enforcing
getenforce
Detection Guidance
Indicators of Exploitation Attempt
- Processes calling
socket(AF_ALG, SOCK_SEQPACKET, ...)followed bysplice()with AEAD algorithm specification from unexpected processes dmesgoutput containing reference count underflows inalgif_aeadcode path- Unexpected uid=0 processes spawned from non-root parent containers
Kubernetes Audit Logging
Enable and review Kubernetes audit logs for:
- Pod creation with
privileged: trueorhostPID: truefollowing unusual events on a node - Service account token requests from unexpected pods shortly after node-level anomalies
- New ClusterRoleBindings or RoleBindings created by non-admin service accounts
Falco Rule
- rule: AF_ALG Socket from Container
desc: Detects AF_ALG socket creation from a container process, possible CVE-2026-31431 exploitation attempt
condition: >
syscall.type = socket and
socket.domain = AF_ALG and
container.id != host
output: >
AF_ALG socket created in container (user=%user.name container=%container.name
image=%container.image.repository proc=%proc.name pid=%proc.pid)
priority: WARNING
tags: [container, CVE-2026-31431, network]