This project is a simple eBPF LSM filter + userspace logger to prevent exploitation of the CVE-2026-31431 CopyFail vulnerability.
cargo build --release && sudo ./target/release/copyfail-ebpf-mitigation
All attempts to use bind() with salg_name=authencesn get logged and denied. This is a very granular mitigation and should not impact any legitimate users of AF_ALG.
By default, processes with uid 0 are not filtered. You can add uids to the whitelist by modifying src/bpf/filter.bpf.c:is_allowed_user.
The LSM filter gets pinned on start, this means that it will remain active even if the userspace component gets killed.
You can unpin it with rm -rf /sys/fs/bpf/copyfail-ebpf-mitigation
- kernel >= 5.8 with CONFIG_BPF_LSM enabled.
- Rust >= 1.85.0
- clang with the bpf target enabled
- bpftool
- libelf
- libz
- libzstd
I have only used this on kernel 5.14 myself (with rhel 9 backports), but from reading the eBPF feature timeline, any kernel since 5.8 should work.
I am not affiliated with the copy.fail authors in any way.
This filter blocks access to the authencesn vector described in the writeup.
I am far from an expert on AF_ALG semantics, if there are other ways to reach the relevant code without bind(salg_family=authencesn), this eBPF filter will not protect you.