Copy Fail — Linux kernel algif_aead LPE (ITW, KEV deadline 2026-05-15)

cve · CVE-2026-31431

Coverage timeline

first 2026-05-06 → last 2026-05-17

Briefs

5 distinct

Sources cited

134

65 hosts

Sections touched

active_vulns, updates, weekly_summary

Co-occurring entities

see Related entities below

Story timeline

2026-05-17CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026)
weekly_summaryConsolidated in weekly summary for 2026-W20
2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_summaryConsolidated in weekly summary for week 2026-W19
2026-05-09CTI Daily Brief — 2026-05-09
updatesUPDATE: CISA KEV deadline 2026-05-15 approaching. Microsoft Security Blog confirms CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) used as complementary techniques in same post-compromise campaign.
2026-05-07CTI Daily Brief — 2026-05-07
updatesUPDATE: Go and Rust exploit variants now publicly available; container-to-host escape vector validated by Kaspersky. KEV deadline 2026-05-15 unchanged.
2026-05-06CTI Daily Brief — 2026-05-06
active_vulnsFirst coverage. Active ITW exploitation confirmed; CISA KEV deadline 2026-05-15; deterministic 732-byte Python exploit; all Linux kernels 4.14-6.19.11 affected; container-to-host escalation risk. Deep dive in § 5.

Where this entity is cited

updates2
weekly_summary2
active_vulns1

Source distribution

attack.mitre.org20 (15%)
thehackernews.com16 (12%)
bleepingcomputer.com9 (7%)
microsoft.com4 (3%)
ubuntu.com4 (3%)
cisa.gov3 (2%)
helpnetsecurity.com3 (2%)
rapid7.com3 (2%)
other72 (54%)

Related entities

BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1
Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW confirmed 2026-05-08, PoC public, patch pending)
cveCVE-2026-43500×1
Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW confirmed 2026-05-08, PoC public, patches landing)
cveCVE-2026-43284×1
Embargo — ransomware group; responsible for ChipSoft Netherlands attack
actoractor:Embargo×1
NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
incidentincident:ncsc-ch-booking-hotel-phishing-2026×1
Unit 42: cloud-bucket hijacking via global-namespace reuse
campaignitem:cloud-bucket-hijacking-namespace-reuse×1
Unit 42: malicious OpenClaw ClawHub skills deliver AMOS + agentic fraud
campaignitem:openclaw-clawhub-malicious-ai-skills×1

External references

NVD · cve.org · CISA KEV

All cited sources (134)

Items in briefs about Copy Fail — Linux kernel algif_aead LPE (ITW, KEV deadline 2026-05-15) (1)

CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.