Elastic Security Detection Rules

Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket

Last updated 4 days ago on 2026-04-29
Created 4 days ago on 2026-04-29

About

Correlates a burst of non-root AF_ALG-class "socket", "splice", or "bound-socket" telemetry with a subsequent process execution where effective user is root but the login user remains non-root. This sequence matches common post-exploitation chains for Copy Fail (CVE-2026-31431) style abuse where AF_ALG and "splice" primitives precede executing a corrupted setuid binary from cache.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionUse Case: VulnerabilityTactic: Privilege EscalationData Source: Auditd ManagerLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

False Positive Examples
Legitimate AF_ALG usage from unprivileged users is uncommon, but some kernel crypto tests, IPsec helpers, disk encryption tooling, HSM integrations, or approved security research systems may exercise this interface. Verify the process, user, and host role before adding an exception.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(external, opens in a new tab or window)

Query
text code block:
sequence with maxspan=60s
  [any where host.os.type == "linux" and    
   (
    (event.category == "process" and auditd.data.syscall == "socket" and auditd.data.a0 == "26") or 
    (event.category == "process" and auditd.data.syscall == "splice") or 
    (event.category == "network" and event.action == "bound-socket" and data_stream.dataset == "auditd_manager.auditd" and ?auditd.data.socket.family == "38") 
    )  
   and user.id != "0"]  by process.pid, host.id, user.id with runs=10
  [process where host.os.type == "linux"  and event.action == "executed" and 
   (
     (user.effective.id == "0" and user.id != "0") or 
     (process.name in ("bash", "sh", "zsh", "dash", "fish", "ksh", "busybox") and 
      process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh"))
    )] by process.parent.pid, host.id, user.id

Install detection rules in Elastic Security

Detect Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).