CVE-2026-31431: Copy Fail Vs. Rootless Containers

The "Copy Fail" vulnerability (CVE‑2026‑31431) exploits a flaw in the Linux kernel's AF_ALG crypto API, allowing unprivileged processes to write arbitrary 4‑byte chunks into the page cache of a set‑uid binary. By repeatedly splicing data into /usr/bin/su, the attacker replaces the binary with a minimal ELF that performs setuid(0) and launches a shell. The bug affects kernels prior to the 6.19.12 back‑port, meaning many distributions still ship vulnerable releases, especially older enterprise and cloud images.

Rootless Podman mitigates the threat through user namespaces. When a container runs without root privileges, the kernel maps the container's UID 0 to an unprivileged host UID (typically 1000). Consequently, even though the exploit achieves "root" inside the container, any actions are limited to the permissions of the host user that launched the container. The article’s bpftrace traces confirm that setuid(0) succeeds in the container but the host sees the process owned by the podman user, preventing file system or process interference beyond the namespace.

For CI/CD pipelines and Kubernetes platforms, the lesson is clear: enabling user‑namespace support isolates kernel‑level bugs from the host. OpenShift 4.20 introduced GA user namespaces for pods, offering the same protection demonstrated with rootless Podman. Organizations should audit their runner images for vulnerable kernels, apply the 6.19.12 patch where possible, and consider moving to rootless or micro‑VM based isolation to safeguard against future LPEs.