Kubernetes 漏洞修复:Copy Fail (CVE-2026-31431) 防御
Linux内核存在一个名为“Copy Fail”的严重漏洞 (CVE-2026-31431),允许攻击者通过仅732字节的Python脚本获取root权限,影响多种Linux发行版,包括Ubuntu、RHEL等。
该漏洞源于内核认证加密实现中的逻辑缺陷,利用了AF_ALG接口和splice()函数,可能在2017年就已存在。
目前官方补丁尚未广泛应用,因此需要采取临时措施。
Tetragon,一个基于eBPF的安全代理,可以通过在syscall级别阻止AF_ALG socket的创建,从而有效缓解该漏洞,且无需修改内核编译参数。
用户可以通过安装Tetragon并配置TracingPolicy来阻止攻击,同时获得事件告警,方便进行安全监控。
查看原文开头(英文 · 仅前 3 段)
On April 29, Xint Code dropped a Linux kernel privilege escalation that makes every other LPE look like it’s trying too hard. It doesn’t need a race condition or kernel-specific offsets and it doesn’t care which distro you’re running. A 732-byte Python script that roots Ubuntu, RHEL, Amazon Linux, and SUSE with the same binary, unchanged. They named it Copy Fail and it’s been sitting in the kernel since 2017.
The bug is a logic flaw in authencesn (the kernel’s authenticated encryption with sequence numbers implementation). It chains through AF_ALG, the userspace interface to the kernel crypto API, and splice() to write 4 bytes into the page cache of any setuid binary. Four bytes, and /usr/bin/su now does whatever you want.
If you’re running multi-tenant Kubernetes, CI runners, or anything that runs user-supplied code on a shared kernel, this is relevant.
※ 出于版权考虑,仅引用前 3 段。完整内容请阅读原文。