From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents

This article details CVE-2026-31431 (Copy Fail), a high-severity Linux kernel vulnerability (CVSS 7.8) that allows any unprivileged local user to corrupt page cache memory and escalate privileges to root. The exploit chains three kernel mechanisms: AF_ALG sockets (exposing kernel crypto to unprivileged users), the authencesn AEAD template, and splice() for zero-copy data movement. By splicing a readable target file (e.g., a setuid binary like /usr/bin/su or PAM configuration files) into a crafted AF_ALG decrypt operation, the attacker can write controlled bytes directly into the file's page cache without touching the on-disk file, avoiding normal file-write detection. The corruption persists only in memory, and when the corrupted setuid binary executes, the attacker gains root privileges. The vulnerability affects kernel versions 4.14 through 6.19 and 7.0 RCs, and active exploitation has been confirmed in the wild. Datadog's detection uses chained Workload Protection rules that track the behavioral sequence: bind(AF_ALG), setsockopt(SOL_ALG), followed by splice() of a setuid binary or open() of system files/PAM configs. The article also highlights how Datadog's security research used coding agents to compress the full detection engineering lifecycle—from threat analysis to rule prototyping to production release—into a single session. Mitigations include patching, disabling algif_aead, enabling the detection content pack, and hunting via Cloud SIEM or CSM Vulnerabilities. 

https://securitylabs.datadoghq.com/articles/cve-2026-31431-copy-fail-exploit-detection-with-agents