Copy Fail
April 30, 2026. A kernel LPE that has lived in every major Linux distro since 2017 is now public, with a 732-byte exploit. You manage a multi-tenant Kubernetes cluster.
Briefing
Theori disclosed CVE-2026-31431 (Copy Fail) on April 30th 2026. It's a logic flaw in the kernel's algif_aead module, an unprivileged process can write a few bytes into the page cache of any readable file, including setuid binaries. Public 732-byte PoC. No race window. Reliable across Ubuntu, RHEL, Amazon Linux, SUSE. Worse: the page cache is shared across containers on the same kernel, so one tenant can poison /usr/bin/su for everyone else on this node. You can't reboot until the off-peak window tonight. Find out what's safe to ship now.
Your role
Platform engineer on a Kubernetes cluster that hosts CI runners and AI sandboxes for multiple internal teams. Same host kernel underneath all of them.
Objective
Decide in the next ten minutes whether this node is exposed to CVE-2026-31431, and apply a same-day mitigation if you cannot reboot.
Terminal environment
- user
- responder
- host
- k8s-node-04
- cwd
- /home/responder
- steps
- 7
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.