Copy-fail-destroyer: K8s remediation for CVE-2026-31431
Source: Hacker News
copy-fail-destroyer
A Kubernetes DaemonSet agent that detects and remediates CVE-2026-31431 (“Copy Fail”) — an algif_aead in‑place logic flaw in the Linux kernel allowing unprivileged page‑cache writes via the AF_ALG socket interface.
What it does
On each node the agent runs a loop every 5 minutes that:
- Checks the kernel version against all known patched stable branches.
- Probes the AF_ALG module by attempting to create and bind an
AF_ALGsocket toaead/authenc(hmac(sha256),cbc(aes))— the exact algorithm the exploit targets. This is safe and non‑destructive. - Remediates based on the configured
REMEDIATION_MODE(see below). - Exposes Prometheus metrics so you can alert and track status across the fleet.
Remediation modes
Set via the REMEDIATION_MODE environment variable (or remediationMode in the Helm chart):
| Mode | Behaviour |
|---|---|
unload (default) | Unloads the algif_aead kernel module via delete_module. |
blacklist | Unloads the module and writes a modprobe blacklist rule to prevent auto‑reload. |
disabled | Detect and report only — no remediation is performed. |
Prometheus metrics
All metrics are exposed on :9100/metrics.
| Metric | Description |
|---|---|
cve_2026_31431_kernel_needs_patching | 1 if the kernel version is not patched for CVE‑2026‑31431. |
cve_2026_31431_vulnerable | 1 if the kernel is vulnerable to CVE‑2026‑31431 and the module is reachable. |
cve_2026_31431_module_reachable | 1 if the AF_ALG aead algorithm can be bound. |
cve_2026_31431_remediation_applied | 1 if the algif_aead module was successfully unloaded. |
Patched kernel versions
CVE-2026-31431 (Copy Fail)
7.0+(mainline)6.19.12+,6.18.22+- Kernels before
4.14are not affected (bug introduced in 4.14).
Project structure
cmd/destroyer/main.go # Entry point — metrics server, check loop, remediation
pkg/detector/
cve202631431.go # CVE-2026-31431 (Copy Fail) detection
probe_linux.go # AF_ALG module probe (Linux)
probe_other.go # Probe stub (non‑Linux)
remediate_linux.go # Module unload via delete_module (Linux)
remediate_other.go # Remediation stub (non‑Linux)
deploy/namespace.yaml # Namespace with Pod Security Admission policy
deploy/daemonset.yaml # Kubernetes DaemonSet manifest
Dockerfile # Multi‑stage build (scratch final image)Building
Native
go build ./cmd/destroyerLinux cross‑compile (for container image)
CGO_ENABLED=0 GOOS=linux go build -o destroyer ./cmd/destroyerContainer image
docker build -t copy-fail-destroyer .Deployment
The agent requires a privileged security context to unload kernel modules and probe AF_ALG sockets. The root filesystem is read‑only.
Raw manifests
kubectl apply -f deploy/namespace.yaml
kubectl apply -f deploy/daemonset.yamlHelm
helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \
--namespace copy-fail-destroyer --create-namespaceOverride the remediation mode:
helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \
--namespace copy-fail-destroyer --create-namespace \
--set remediationMode=disabledArgoCD
An Application manifest is provided at deploy/argocd-application.yaml. Edit targetRevision to pin a chart version, then apply:
kubectl apply -f deploy/argocd-application.yamlThe DaemonSet includes Prometheus scrape annotations (prometheus.io/scrape: "true", port 9100).
Prometheus Operator
If you use the Prometheus Operator, deploy the PodMonitor to have metrics scraped automatically.
Raw manifest
kubectl apply -f deploy/podmonitor.yamlVia Helm
helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \
--namespace copy-fail-destroyer --create-namespace \
--set metrics.podMonitor.enabled=trueAlert rules (PrometheusRule) for Alertmanager are also available.
Raw manifest
kubectl apply -f deploy/prometheusrule.yamlVia Helm with extra alert labels
helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \
--namespace copy-fail-destroyer --create-namespace \
--set metrics.prometheusRule.enabled=true \
--set metrics.prometheusRule.extraAlertLabels.team=platformThree alerts are defined:
| Alert | Severity | Description |
|---|---|---|
CopyFailVulnerable | critical | Kernel is vulnerable and AF_ALG module is reachable. |
CopyFailKernelNeedsPatching | warning | Kernel version is unpatched (module may be mitigated). |
CopyFailRemediationFailed | warning | Module still reachable after remediation attempt. |
CI/CD
A GitHub Actions workflow (.github/workflows/build.yaml) triggers on versioned tags (v*). It:
- Runs
go test ./... - Builds the Linux binary
- Builds and pushes a container image to
ghcr.io/norskhelsenett/copy-fail-destroyer - Packages and pushes the Helm chart to
oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer
Tags are derived from the Git tag — e.g. pushing v1.2.3 produces image tags 1.2.3 and 1.2.
git tag v1.0.0
git push origin v1.0.0