Detection, mitigation, and IOC toolkit for Copy Fail CVE-2026-31431 Linux kernel page-cache privilege escalation
CopyFail (CVE-2026-31431): Linux kernel page-cache PrivEsc PoC + the only public detection tool. Novel PAM auth-bypass vector + Sigma/auditd/eBPF rules.
Copy Fail exploit (CVE-2026-31431) but in Rust.
Defense-in-depth primitives for CVE-2026-31431 (Copy Fail) — kernel detection probe and LD_PRELOAD AF_ALG block
CVE-2026-31431 - Copy Fail | Linux LPE via authencesn page cache write. Unprivileged user to root on most distros since 2017. PoC in C and Python.
CVE-2026-31431 (copy.fail) — adapted for constrained Java execution environments via FFM syscall layer + javac annotation processor delivery
Detects if any running pid uses AF_ALG, to help with https://copy.fail mitigations (seeing if its safe to turn off the AF_ALG module)
SELinux/IdM proof of concept for confining privileged automation identities and blocking exploit surfaces such as Copy Fail with AAP-aware policy gates.
Add a description, image, and links to the copyfail topic page so that developers can more easily learn about it.
To associate your repository with the copyfail topic, visit your repo's landing page and select "manage topics."