https://thecodersblog.com/tag/rootless/Recent content in Rootless on The Coders BlogHugoen-usTue, 05 May 2026 15:09:57 +0000https://thecodersblog.com/cve-2026-31431-copy-fail-vs-rootless-containers-2026/Tue, 05 May 2026 15:09:57 +0000https://thecodersblog.com/cve-2026-31431-copy-fail-vs-rootless-containers-2026/<p>Imagine a world where an unprivileged process, with no special rights, can reach into the kernel&rsquo;s memory and alter critical system components. This isn&rsquo;t science fiction; it&rsquo;s the reality introduced by CVE-2026-31431, affectionately (and terrifyingly) dubbed &ldquo;Copy Fail.&rdquo; For those operating in the containerized world, especially with rootless setups, this vulnerability is a stark reminder that even seemingly robust isolation mechanisms can have hidden pathways to compromise.</p> <h3 id="the-core-problem-kernel-memory-corruption-via-af_alg">The Core Problem: Kernel Memory Corruption via <code>AF_ALG</code></h3> <p>CVE-2026-31431 is a high-severity local privilege escalation (LPE) vulnerability residing within the Linux kernel&rsquo;s cryptographic subsystem, specifically the <code>AF_ALG</code> (userspace crypto API). The flaw lies in a logic error within the <code>algif_aead</code> module. At its heart, the exploit leverages the <code>splice()</code> system call to perform controlled, 4-byte writes into the kernel&rsquo;s shared page cache. This seemingly small manipulation is enough to corrupt in-memory copies of critical setuid binaries, such as <code>/usr/bin/su</code>. The ultimate consequence? An unprivileged user can execute a corrupted setuid binary and gain root privileges.</p>