Skip to content
HN On Hacker News ↗

GitHub - NorskHelsenett/copy-fail-destroyer

G github.com
▲ 18 points 13 comments by evenh 2mo ago HN discussion ↗

Pangram verdict · v3.3

We believe that this document is primarily human-written, with some AI-generated content detected

35 %

AI likelihood · overall

Mixed
70% human-written 30% AI-generated
SEGMENTS · HUMAN 2 of 3
SEGMENTS · AI 1 of 3
WORD COUNT 569
PEAK AI % 100% · §1
Analyzed
Apr 30
backend: pangram/v3.3
Segments scanned
3 windows
avg 190 words each
Distribution
70 / 30%
human / AI fraction
Verdict
Mixed
Pangram v3.3

Article text · 569 words · 3 segments analyzed

Human AI-generated
§1 AI · 100%

A Kubernetes DaemonSet agent that detects and remediates CVE-2026-31431 ("Copy Fail") — an algif_aead in-place logic flaw in the Linux kernel allowing unprivileged page-cache writes via the AF_ALG socket interface. What it does On each node the agent runs a loop every 5 minutes that:

Checks the kernel version against all known patched stable branches. Probes the AF_ALG module by attempting to create and bind an AF_ALG socket to aead / authenc(hmac(sha256),cbc(aes)) — the exact algorithm the exploit targets. This is safe and non-destructive. Remediates based on the configured REMEDIATION_MODE (see below). Exposes Prometheus metrics so you can alert and track status across the fleet.

Remediation modes Set via the REMEDIATION_MODE environment variable (or remediationMode in the Helm chart):

Mode Behaviour

unload (default) Unloads the algif_aead kernel module via delete_module

blacklist Unloads the module and writes a modprobe blacklist rule to prevent auto-reload

disabled Detect and report only — no remediation is performed

Prometheus metrics All metrics are exposed on :9100/metrics.

Metric Description

cve_2026_31431_kernel_needs_patching 1 if the kernel version is not patched for CVE-2026-31431

cve_2026_31431_vulnerable 1 if the kernel is vulnerable to CVE-2026-31431 and the module is reachable

cve_2026_31431_module_reachable 1 if the AF_ALG aead algorithm can be bound

cve_2026_31431_remediation_applied 1 if the

§2 Human · 25%

algif_aead module was successfully unloaded

Patched kernel versions CVE-2026-31431 (Copy Fail)

7.0+ (mainline) 6.19.12+, 6.18.22+ Kernels before 4.14 are not affected (bug introduced in 4.14)

Project structure cmd/destroyer/main.go # Entry point — metrics server, check loop, remediation pkg/detector/ cve202631431.go # CVE-2026-31431 (Copy Fail) detection probe_linux.go # AF_ALG module probe (Linux) probe_other.go # Probe stub (non-Linux) remediate_linux.go # Module unload via delete_module (Linux) remediate_other.go # Remediation stub (non-Linux) deploy/namespace.yaml # Namespace with Pod Security Admission policy deploy/daemonset.yaml # Kubernetes DaemonSet manifest Dockerfile # Multi-stage build (scratch final image)

Building # Native go build ./cmd/destroyer

# Linux cross-compile (for container image) CGO_ENABLED=0 GOOS=linux go build -o destroyer ./cmd/destroyer Container image docker build -t copy-fail-destroyer . Deployment The agent requires a privileged security context to unload kernel modules and probe AF_ALG sockets. The root filesystem is read-only. Raw manifests kubectl apply -f deploy/namespace.yaml kubectl apply -f deploy/daemonset.yaml Helm helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace Override the remediation mode: helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set remediationMode=disabled ArgoCD An Application manifest is provided at deploy/argocd-application.yaml.

§3 Human · 23%

Edit targetRevision to pin a chart version: kubectl apply -f deploy/argocd-application.yaml The DaemonSet includes Prometheus scrape annotations (prometheus.io/scrape: "true", port 9100). Prometheus Operator If you use the Prometheus Operator, deploy the PodMonitor to have metrics scraped automatically: # Raw manifest kubectl apply -f deploy/podmonitor.yaml

# Or via Helm helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set metrics.podMonitor.enabled=true Alert rules (PrometheusRule) for Alertmanager are also available: # Raw manifest kubectl apply -f deploy/prometheusrule.yaml

# Or via Helm with extra alert labels helm install copy-fail-destroyer oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer \ --namespace copy-fail-destroyer --create-namespace \ --set metrics.prometheusRule.enabled=true \ --set metrics.prometheusRule.extraAlertLabels.team=platform Three alerts are defined:

Alert Severity Description

CopyFailVulnerable critical Kernel is vulnerable and AF_ALG module is reachable

CopyFailKernelNeedsPatching warning Kernel version is unpatched (module may be mitigated)

CopyFailRemediationFailed warning Module still reachable after remediation attempt

CI/CD A GitHub Actions workflow (.github/workflows/build.yaml) triggers on versioned tags (v*). It:

Runs go test ./... Builds the Linux binary Builds and pushes a container image to ghcr.io/norskhelsenett/copy-fail-destroyer Packages and pushes the Helm chart to oci://ghcr.io/norskhelsenett/helm/copy-fail-destroyer

Tags are derived from the Git tag — e.g. pushing v1.2.3 produces image tags 1.2.3 and 1.2. git tag v1.0.0 git push origin v1.0.0