WeSearch

Detection toolkit for CopyFail(CVE-2026-31431)

·1 min read · 0 reactions · 0 comments · 5 views
Detection toolkit for CopyFail(CVE-2026-31431)

Detection, mitigation, and IOC toolkit for Copy Fail CVE-2026-31431 Linux kernel page-cache privilege escalation - kadir/copy-fail-CVE-2026-31431-IOC

Original article
GitHub
Read full at GitHub →
Opening excerpt (first ~120 words) tap to expand

copyfail-detect Detection toolkit for CVE-2026-31431 ("Copy Fail"), a Linux kernel local privilege escalation technique that corrupts page-cache data without changing the file on disk. Why This Exists Copy Fail can bypass traditional file integrity monitoring because the on-disk file is not modified. This repository provides layered detection using auditd, eBPF, page-cache comparison, Sigma rules, and responder documentation. The eBPF monitor is the highest-fidelity detector: it watches AF_ALG activity, extracts authencesn bind attempts, tracks suspicious splice() usage, and correlates those events into a high-confidence exploit-chain alert.

Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from GitHub

Can You Trust It? Open Source Framework
GitHub·2
OpenUsage: Track all your AI usage, in one panel
GitHub·5
Coding Stats
GitHub·5
Show HN: Iso.me – Open-source, on-device iOS location tracker
GitHub·3
Show HN: Homebutler – a single-binary homelab ops tool with backup drills
GitHub·5
Show HN: Agent-recall-AI – Auto-save for AI agents that die mid-task
GitHub·5