CVE-2026-31431: Copy Fail vs. rootless containers
CVE-2026-31431, also known as 'Copy Fail', is a Linux kernel vulnerability that can be exploited to achieve privilege escalation by overwriting system binaries with malicious ELF executables. The exploit replaces the /usr/bin/su binary with a compact, golfed ELF payload designed to execute setuid(0) and spawn a shell. However, rootless container environments like rootless Podman can prevent the escalation by restricting access to privileged operations.
- ▪CVE-2026-31431 allows privilege escalation by exploiting a flaw in the Linux kernel's scatterlist handling.
- ▪The public exploit replaces /usr/bin/su with a compressed, golfed ELF binary that calls setuid(0) and execve('/bin/sh').
- ▪Rootless containers, such as those using Podman, block the exploit's escalation due to restricted user namespace mappings.
- ▪The shellcode uses ELF golfing techniques to remove section headers and reduce size, evading standard disassembly tools.
- ▪eBPF tracing was used to observe the kernel rejecting the escalation attempt in real time.
Opening excerpt (first ~120 words) tap to expand
CVE-2026-31431: Copy Fail vs. rootless containers04 May 2026Table of ContentsTable of ContentsIntroductionThe vulnerabilityAnalyzing the shellcodeSetting up the labSetting up rootless PodmanRunning the exploit inside a containerTracing the exploit mechanismWhy rootless containers stopped the escalationCatching the kernel in the act with eBPFThe uid_map proofConclusionsIntroductionIn the previous post about SELinux MCS and GitLab runners, I briefly mentioned CVE-2026-31431 (“Copy Fail”) as a motivating example for per-job VM isolation. After that post went out I spent the weekend setting up a lab to actually run the exploit, trace it at the syscall level, and verify that the rootless Podman architecture we deploy on GNOME’s runners would contain it.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Hacker News: Front Page.
Discussion
0 commentsMore from Hacker News: Front Page
