[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80954":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":12,"openIssues":13,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":14,"stars30d":14,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":15,"rankGlobal":10,"rankLanguage":10,"license":16,"archived":17,"fork":17,"defaultBranch":18,"hasWiki":19,"hasPages":17,"topics":20,"createdAt":10,"pushedAt":10,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":14,"starSnapshotCount":14,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},80954,"copy-fail-CVE-2026-31431-IOC","kadir\u002Fcopy-fail-CVE-2026-31431-IOC","kadir","Detection, mitigation, and IOC toolkit for Copy Fail CVE-2026-31431 Linux kernel page-cache privilege escalation","",null,"Python",31,1,0,40.9,"MIT License",false,"main",true,[21,22,23,24,25,26,27,28,29],"copy-fail","copyfail","cve-2026-31431","incident-response","ioc","linux","linux-kernel","privilege-escalation","yara","2026-06-12 04:01:31","# copyfail-detect\n\nDetection toolkit for CVE-2026-31431 (\"Copy Fail\"), a Linux kernel local\nprivilege escalation technique that corrupts page-cache data without changing\nthe file on disk.\n\n## Why This Exists\n\nCopy Fail can bypass traditional file integrity monitoring because the on-disk\nfile is not modified. This repository provides layered detection using auditd,\neBPF, page-cache comparison, Sigma rules, and responder documentation.\n\nThe eBPF monitor is the highest-fidelity detector: it watches AF_ALG activity,\nextracts `authencesn` bind attempts, tracks suspicious `splice()` usage, and\ncorrelates those events into a high-confidence exploit-chain alert.\n\n## Quick Start\n\nCheck whether the risky kernel crypto surface is exposed:\n\n```bash\npython3 check\u002Fis_vulnerable.py\n```\n\nApply the immediate mitigation:\n\n```bash\nsudo bash mitigate\u002Fdisable_algif_aead.sh\n```\n\nDeploy auditd detection rules:\n\n```bash\nsudo cp detect\u002Fauditd\u002Fcopyfail.rules \u002Fetc\u002Faudit\u002Frules.d\u002F\nsudo augenrules --load\nsudo ausearch -k copyfail_af_alg\n```\n\nRun the real-time eBPF monitor:\n\n```bash\nsudo python3 detect\u002Febpf\u002Fcopyfail_monitor.py\nsudo python3 detect\u002Febpf\u002Fcopyfail_monitor.py --json\n```\n\nCheck for page-cache tampering after suspected exploitation:\n\n```bash\nsudo python3 detect\u002Fpagecache-check\u002Fpagecache_diff.py\n```\n\n## Detection Layers\n\n| Layer | What It Catches | When | Tool |\n|---|---|---|---|\n| eBPF monitor | AF_ALG, `authencesn`, `splice()`, exploit-chain correlation | During exploitation | bcc\u002Fbpftrace |\n| Auditd rules | AF_ALG socket creation, suspicious syscalls, sensitive file reads | During exploitation | auditd |\n| Page-cache diff | In-memory file data diverging from disk | After exploitation | Python |\n| Sigma rules | SIEM alerts from audit\u002Fsyslog telemetry | During\u002Fafter exploitation | SIEM |\n| IOC docs | Responder checklist and YARA rule | Investigation | docs |\n\n## Repository Layout\n\n```text\ncheck\u002F                  Safe exposure and sentinel checks\ndetect\u002Fauditd\u002F          auditd rules and deployment notes\ndetect\u002Febpf\u002F            bcc and bpftrace real-time monitors\ndetect\u002Fpagecache-check\u002F Page-cache vs disk comparison\ndetect\u002Fsigma\u002F           Sigma rules for SIEMs\ndocs\u002F                   Detection, IOC, architecture, and forensics guides\nmitigate\u002F               Local and Ansible mitigation helpers\ntests\u002F                  Syntax and unit tests\n```\n\n## Safety Notes\n\nThe vulnerability checker only uses a temporary sentinel file and never targets\nsystem files. The page-cache diff tool is detective and may evict the corrupted\npage it is checking; preserve memory first if you need forensic evidence.\n\n## References\n\n- Research and disclosure credit: Theori \u002F Xint Code\n- Disclosure: https:\u002F\u002Fcopy.fail\u002F\n- Technical writeup: https:\u002F\u002Fxint.io\u002Fblog\u002Fcopy-fail-linux-distributions\n- CVE: CVE-2026-31431\n- Kernel fix: commit `a664bf3d603d`\n- Theori PoC: https:\u002F\u002Fgithub.com\u002Ftheori-io\u002Fcopy-fail-CVE-2026-31431\n\n## Acknowledgements\n\nThanks to Theori and Xint Code for surfacing, analyzing, and responsibly\ndisclosing Copy Fail. This repository builds on their public research so\ndefenders can detect, mitigate, and investigate CVE-2026-31431 safely.\n","该项目是一个针对CVE-2026-31431（“Copy Fail”）漏洞的检测、缓解和IOC工具包，该漏洞利用Linux内核中的页缓存数据损坏进行本地权限提升。核心功能包括通过auditd规则、eBPF监控、页缓存对比、Sigma规则及响应文档实现多层次检测；特别是eBPF监控器能够高精度地追踪AF_ALG活动、提取`authencesn`绑定尝试以及可疑的`splice()`使用情况，并将这些事件关联起来生成高置信度的攻击链警报。此项目适用于需要防范或调查基于页缓存篡改而不修改磁盘文件的Linux系统安全场景中，为安全团队提供了从实时监测到事后分析的一系列工具支持。",2,"2026-06-11 04:02:58","CREATED_QUERY"]