From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents

Datadog Security Research describes CVE-2026-31431 (“Copy Fail”), a high-severity (CVSS 7.8) Linux kernel vulnerability that lets any unprivileged local user deterministically corrupt page-cache-backed file contents via AF_ALG (authencesn AEAD) and splice, enabling local privilege escalation to root while leaving no on-disk traces; the report explains the exploit chain, provides PoC snippets, notes active exploitation and CISA KEV inclusion, and supplies detection rules, hunting queries, and mitigations (patch, disable algif_aead, enable Workload Protection).