From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents
CVE-2026-31431 (‘Copy Fail’, CVSS 7.8) is a Linux kernel privilege escalation affecting versions 4.14 through 6.19 and 7.0 RCs, actively exploited in the wild and added to CISA KEV on May 1, 2026. The vulnerability abuses the AF_ALG socket interface (authencesn AEAD template) combined with splice() zero-copy semantics: an unprivileged user can splice page cache pages of any readable file (e.g., /usr/bin/su) into a crypto operation socket, triggering a controlled write-back into the page cache without touching the on-disk file, inode metadata, or mtime — making metadata-based FIM blind to the attack. The corruption is deterministic (specific bytes at specific offsets), works without any special capabilities, and a Rust variant also targets PAM config files (/etc/pam.d/*) to bypass authentication. Container escape is conditionally possible when the targeted file’s page cache is shared across container boundaries. The article additionally details how Datadog used coding agents to compress the detection engineering cycle — from exploit analysis to shipped runtime detections — into a single session.