GitHub - NorskHelsenett/copy-fail-destroyer

A Kubernetes DaemonSet agent that detects and remediates CVE-2026-31431 ("Copy Fail") — an algif_aead in-place logic flaw in the Linux kernel allowing unprivileged page-cache writes via the AF_ALG socket interface.

What it does

On each node the agent runs a loop every 5 minutes that:

Checks the kernel version against all known patched stable branches. Probes the AF_ALG module by attempting to create and bind an AF_ALG socket to aead / authenc(hmac(sha256),cbc(aes)) — the exact algorithm the exploit targets. This is safe and non-destructive. Remediates based on the configured REMEDIATION_MODE (see below). Exposes Prometheus metrics so you can alert and track status across the fleet.

Remediation modes

Set via the REMEDIATION_MODE environment variable (or remediationMode in the Helm chart):

Mode Behaviour unload (default) Unloads the algif_aead kernel module via delete_module blacklist Unloads the module and writes a modprobe blacklist rule to prevent auto-reload disabled Detect and report only — no remediation is performed

Prometheus metrics

All metrics are exposed on :9100/metrics .

Metric Description cve_2026_31431_kernel_needs_patching 1 if the kernel version is not patched for CVE-2026-31431 cve_2026_31431_vulnerable 1 if the kernel is vulnerable to CVE-2026-31431 and the module is reachable cve_2026_31431_module_reachable 1 if the AF_ALG aead algorithm can be bound cve_2026_31431_remediation_applied 1 if the algif_aead module was successfully unloaded

Patched kernel versions

7.0+ (mainline)

(mainline) 6.19.12+ , 6.18.22+

, Kernels before 4.14 are not affected (bug introduced in 4.14)

Project structure

cmd/destroyer/main.go # Entry point — metrics server, check loop, remediation pkg/detector/ cve202631431.go # CVE-2026-31431 (Copy Fail) detection probe_linux.go # AF_ALG module probe (Linux) probe_other.go # Probe stub (non-Linux) remediate_linux.go # Module unload via delete_module (Linux) remediate_other.go # Remediation stub (non-Linux) deploy/namespace.yaml # Namespace with Pod Security Admission policy deploy/daemonset.yaml # Kubernetes DaemonSet manifest Dockerfile # Multi-stage build (scratch final image)

Building

# Native go build ./cmd/destroyer # Linux cross-compile (for container image) CGO_ENABLED=0 GOOS=linux go build -o destroyer ./cmd/destroyer

Container image

docker build -t copy-fail-destroyer .

Deployment

The agent requires a privileged security context to unload kernel modules and probe AF_ALG sockets. The root filesystem is read-only.

Raw manifests

kubectl apply -f deploy/namespace.yaml kubectl apply -f deploy/daemonset.yaml

Helm

helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace

Override the remediation mode:

helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set remediationMode=disabled

ArgoCD

An Application manifest is provided at deploy/argocd-application.yaml . Edit targetRevision to pin a chart version:

kubectl apply -f deploy/argocd-application.yaml

The DaemonSet includes Prometheus scrape annotations ( prometheus.io/scrape: "true" , port 9100 ).

Prometheus Operator

If you use the Prometheus Operator, deploy the PodMonitor to have metrics scraped automatically:

# Raw manifest kubectl apply -f deploy/podmonitor.yaml # Or via Helm helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set metrics.podMonitor.enabled=true

Alert rules ( PrometheusRule ) for Alertmanager are also available:

# Raw manifest kubectl apply -f deploy/prometheusrule.yaml # Or via Helm with extra alert labels helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set metrics.prometheusRule.enabled=true \ --set metrics.prometheusRule.extraAlertLabels.team=platform

Three alerts are defined:

Alert Severity Description CopyFailVulnerable critical Kernel is vulnerable and AF_ALG module is reachable CopyFailKernelNeedsPatching warning Kernel version is unpatched (module may be mitigated) CopyFailRemediationFailed warning Module still reachable after remediation attempt

A GitHub Actions workflow ( .github/workflows/build.yaml ) triggers on versioned tags ( v* ). It:

Runs go test ./... Builds the Linux binary Builds and pushes a container image to ghcr.io/norskhelsenett/copy-fail-destroyer Packages and pushes the Helm chart to oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer

Tags are derived from the Git tag — e.g. pushing v1.2.3 produces image tags 1.2.3 and 1.2 .