Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator

Detects kernel auto-loading of the authencesn crypto module via modprobe This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher (e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation, where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path, corrupting the page cache of SUID binaries for local privilege escalation.

On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod) with 'modprobe' appearing in the command line.

Sigma rule (View on GitHub)

 1title: Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator
 2id: 474b415a-d917-4f3b-8c62-9e1a0d5f7b48
 3status: experimental
 4description: |
 5    Detects kernel auto-loading of the authencesn crypto module via modprobe
 6    This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher
 7    (e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the
 8    crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation,
 9    where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path,
10    corrupting the page cache of SUID binaries for local privilege escalation.
11
12    On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod)
13    with 'modprobe' appearing in the command line.    
14references:
15    - https://www.linkedin.com/posts/stamatis-chatzimangou_copyfail-kql-activity-7455582422215114752-S4RW/
16    - https://www.splunk.com/en_us/blog/security/detecting-copy-fail-cve-2026-31431-phenomenal-power-itty-bitty-script.html
17    - https://nvd.nist.gov/vuln/detail/CVE-2026-31431
18    - https://man7.org/linux/man-pages/man8/modprobe.8.html
19    - https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
20author: Gene Kazimiarovich
21date: 2026-05-09
22tags:
23    - attack.privilege-escalation
24    - attack.t1068
25    - attack.persistence
26    - attack.t1547.006
27    - detection.emerging-threats
28    - cve.2026-31431
29logsource:
30    category: process_creation
31    product: linux
32detection:
33    selection_kmod:
34        Image|endswith: '/kmod'
35        CommandLine|contains|all:
36            - 'modprobe'
37            - 'crypto-authencesn('
38    selection_modprobe:
39        Image|endswith: '/modprobe'
40        CommandLine|contains: 'crypto-authencesn('
41    condition: 1 of selection_*
42falsepositives:
43    - Legitimate manual loading of the authencesn module by administrators for kernel crypto benchmarking or IPsec configuration (near-zero in production)
44level: high

References

Related rules

to-top