Cloudflare's detailed account of how they responded to CVE-2026-31431 ('Copy Fail'), a Linux kernel local privilege escalation vulnerability exploiting an out-of-bounds write in the algif_aead crypto module via splice() and page cache manipulation. Their response included: confirming existing behavioral detection caught the exploit within minutes without signature updates, conducting 48-hour retroactive threat hunting across their global fleet, deploying a bpf-lsm eBPF program as a surgical no-reboot mitigation that allowlisted legitimate AF_ALG socket users, and ultimately rolling out a patched kernel via their normal reboot automation. No customer impact occurred at any point. The post also details the technical exploit mechanism and lessons learned around kernel-API dependency visibility and attack surface reduction.
Sort: