How Cloudflare responded to the “Copy Fail” Linux vulnerability

Cloudflare describes the discovery and response to the 'Copy Fail' Linux kernel local privilege escalation (CVE-2026-31431), an out-of-bounds write in the algif_aead/AF_ALG crypto path that allows unprivileged attackers to taint page cache and gain root by modifying setuid binaries; Cloudflare validated that behavioral detections flagged the exploit, performed fleet-wide hunting with no evidence of compromise, and deployed eBPF-based mitigations (bpf-lsm), visibility, and patched kernels with no customer impact.