CVE-2026-31431: how Copy Fail behaves in Kubernetes

CVE-2026-31431 is a logic flaw in the Linux kernel's cryptographic subsystem that has existed since 2017, allowing unprivileged users to corrupt in-memory files using crypto sockets without needing special permissions. This vulnerability is particularly dangerous in Kubernetes environments, where it facilitates cross-container lateral movement by exploiting shared resources like the page cache, without escaping to the host. Container images in Kubernetes are composed of layers, and when multiple containers on the same node share these layers, they also share the same page cache entries, making them vulnerable to this exploit. The attack can be executed rapidly and invisibly through common system binaries like /usr/bin/cat, leading to potential control over cluster-admin pods and access to sensitive data. Despite its serious implications, the vulnerability is not a container-to-host escape but rather a container-to-container movement, posing a significant risk to any Kubernetes setup with shared base images. Detection and mitigation involve monitoring specific syscall patterns, applying kernel patches, and employing diverse base images to limit the blast radius. Stream.Security addresses this gap by using eBPF sensors to monitor syscalls in real time, enabling rapid deployment of detection and mitigation strategies without needing extensive configuration changes.