<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>CVE-2026-31431 on Detection.FYI</title>
    <link>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/</link>
    <description>Recent content in CVE-2026-31431 on Detection.FYI</description>
    <generator>Hugo -- gohugo.io</generator>
    <copyright> </copyright>
    <lastBuildDate>Fri, 03 Jul 2026 12:22:10 +0000</lastBuildDate><atom:link href="https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Linux AF_ALG Socket Creation - Kernel Crypto API Exploit Indicator</title>
      <link>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket_creation/</link>
      <pubDate>Fri, 03 Jul 2026 12:22:10 +0000</pubDate>
      
      <guid>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/lnx_auditd_exploit_cve_2026_31431_af_alg_socket_creation/</guid>
      <description>
        
          
            Detects creation of AF_ALG (Address Family 38) sockets via the socket() syscall.
AF_ALG is the Linux kernel crypto API interface. It is exploited in CVE-2026-31431
to achieve local privilege escalation via a buffer overflow in the AF_ALG AEAD
splice path that corrupts the page cache of SUID binaries.
Legitimate AF_ALG usage is rare and confined to specific crypto utilities and VPN
daemons using non-default kernel offload configurations.

          
          
        
      </description>
    </item>
    
    <item>
      <title>Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator</title>
      <link>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/proc_creation_lnx_exploit_cve_2026_31431_copyfail/</link>
      <pubDate>Fri, 03 Jul 2026 09:18:04 +0000</pubDate>
      
      <guid>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/cve-2026-31431/proc_creation_lnx_exploit_cve_2026_31431_copyfail/</guid>
      <description>
        
          
            Detects kernel auto-loading of the authencesn crypto module via modprobe
This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher
(e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the
crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation,
where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path,
corrupting the page cache of SUID binaries for local privilege escalation.

On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod)
with &#39;modprobe&#39; appearing in the command line.

          
          
        
      </description>
    </item>
    
  </channel>
</rss>
