{"id":180721,"date":"2026-05-05T12:56:49","date_gmt":"2026-05-05T19:56:49","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=180721"},"modified":"2026-05-14T13:07:36","modified_gmt":"2026-05-14T20:07:36","slug":"cve-2026-31431-copy-fail","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/","title":{"rendered":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es"},"content":{"rendered":"<h2><a id=\"post-180721-_4lt92rr5muov\"><\/a>Avant-propos<\/h2>\n<p>Le 29\u00a0avril 2026, des chercheurs ont <a href=\"https:\/\/copy.fail\/\" target=\"_blank\" rel=\"noopener\">rendu publique<\/a> une vuln\u00e9rabilit\u00e9 d\u2019\u00e9l\u00e9vation locale des privil\u00e8ges\u00a0(LPE), r\u00e9f\u00e9renc\u00e9e sous l\u2019identifiant <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-31431\" target=\"_blank\" rel=\"noopener\">CVE-2026-31431<\/a>, dont l\u2019exploitation se r\u00e9v\u00e8le extr\u00eamement fiable. Cette vuln\u00e9rabilit\u00e9 est commun\u00e9ment appel\u00e9e Copy\u00a0Fail. D\u00e9couverte en une heure environ \u00e0 l\u2019aide d\u2019un <a href=\"https:\/\/xint.io\/blog\/copy-fail-linux-distributions\" target=\"_blank\" rel=\"noopener\">processus assist\u00e9 par l\u2019IA<\/a>, cette faille logique permet \u00e0 un cyberattaquant local non privil\u00e9gi\u00e9 <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/01\/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation\/\" target=\"_blank\" rel=\"noopener\">d\u2019obtenir syst\u00e9matiquement un acc\u00e8s\u00a0root<\/a> sur la quasi-totalit\u00e9 des grandes distributions\u00a0Linux publi\u00e9es depuis 2017.<\/p>\n<p>Contrairement \u00e0 de nombreuses vuln\u00e9rabilit\u00e9s du noyau, cette faille logique est d\u00e9terministe\u00a0: elle ne d\u00e9pend ni de conditions de concurrence, ni de d\u00e9calages propres \u00e0 certaines versions. Un simple script\u00a0Python de 732\u00a0octets peut l\u2019exploiter avec succ\u00e8s, sans modification, sur diff\u00e9rentes distributions\u00a0Linux.<\/p>\n<p>La vuln\u00e9rabilit\u00e9 trouve son origine dans le sous-syst\u00e8me cryptographique du noyau\u00a0Linux, et plus pr\u00e9cis\u00e9ment dans le module <span style=\"font-family: 'courier new', courier, monospace;\">algif_aead<\/span> de l\u2019interface <span style=\"font-family: 'courier new', courier, monospace;\">AF_ALG<\/span>, une API de chiffrement en espace utilisateur. Elle ne r\u00e9sulte pas d\u2019une simple erreur de codage, mais de la combinaison de trois mises \u00e0 jour ind\u00e9pendantes\u00a0:<\/p>\n<ul>\n<li>L\u2019ajout de l\u2019algorithme <span style=\"font-family: 'courier new', courier, monospace;\">authencesn<\/span> en 2011<\/li>\n<li>La prise en charge d\u2019AEAD par l\u2019interface <span style=\"font-family: 'courier new', courier, monospace;\">AF_ALG<\/span> en 2015<\/li>\n<li>Une optimisation en place critique introduite en 2017<\/li>\n<\/ul>\n<p>Lors d\u2019op\u00e9rations cryptographiques, un bug dans cette optimisation en place am\u00e8ne l\u2019algorithme \u00e0 utiliser incorrectement le tampon de destination. Il \u00e9crit alors quatre octets contr\u00f4l\u00e9s au-del\u00e0 de la r\u00e9gion l\u00e9gitime, directement dans le cache de pages du syst\u00e8me. Les versions affect\u00e9es incluent les noyaux\u00a0Linux compris entre les versions\u00a04.14 et 6.19.12.<\/p>\n<p>Cette vuln\u00e9rabilit\u00e9 affecte des millions de syst\u00e8mes ex\u00e9cutant des distributions courantes comme <a href=\"https:\/\/ubuntu.com\/blog\/copy-fail-vulnerability-fixes-available\" target=\"_blank\" rel=\"noopener\">Ubuntu<\/a>, Amazon\u00a0Linux, <a href=\"https:\/\/access.redhat.com\/solutions\/7142032\" target=\"_blank\" rel=\"noopener\">Red\u00a0Hat Enterprise Linux<\/a>, <a href=\"https:\/\/debiansupport.com\/blog\/copy-fail-cve-2026-31431-mitigation\/\" target=\"_blank\" rel=\"noopener\">Debian<\/a>, <a href=\"https:\/\/www.suse.com\/c\/addressing-copy-fail-in-suse-virtualization\/\" target=\"_blank\" rel=\"noopener\">SUSE<\/a> et AlmaLinux. Un cyberattaquant disposant d\u2019un acc\u00e8s local standard peut l\u2019exploiter pour modifier de mani\u00e8re malveillante le cache en m\u00e9moire de fichiers ex\u00e9cutables privil\u00e9gi\u00e9s, comme <span style=\"font-family: 'courier new', courier, monospace;\">su<\/span> ou <span style=\"font-family: 'courier new', courier, monospace;\">sudo<\/span>, sans d\u00e9clencher les contr\u00f4les d\u2019int\u00e9grit\u00e9, puisque les fichiers physiques pr\u00e9sents sur le disque restent inchang\u00e9s. Le noyau et son cache de pages \u00e9tant partag\u00e9s \u00e0 l\u2019\u00e9chelle de tout un n\u0153ud, cette faille permet aux cyberattaquants de\u00a0:<\/p>\n<ul>\n<li>S\u2019\u00e9chapper facilement de conteneurs Kubernetes<\/li>\n<li>Prendre le contr\u00f4le d\u2019h\u00f4tes multi-tenant<\/li>\n<li>Compromettre des pipelines\u00a0CI\/CD<\/li>\n<\/ul>\n<p>Nous recommandons vivement aux organisations d\u2019appliquer imm\u00e9diatement les correctifs n\u00e9cessaires en d\u00e9ployant les mises \u00e0 jour du noyau publi\u00e9es par leurs fournisseurs.<\/p>\n<p>Gr\u00e2ce aux solutions suivantes, les clients de Palo\u00a0Alto\u00a0Networks b\u00e9n\u00e9ficient de protections et de mesures d\u2019att\u00e9nuation contre la CVE-2026-31431\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\">Next-Generation Firewall<\/a> avec <a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced Threat Prevention<\/a><\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-CLOUD\/Cortex-Cloud-Runtime-Security-Documentation\/Endpoint-protection\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0Cloud<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0XDR<\/a> et<a href=\"https:\/\/www.paloaltonetworks.com\/resources\/datasheets\/cortex-xsiam-aag\" target=\"_blank\" rel=\"noopener\"> XSIAM<\/a><\/li>\n<\/ul>\n<p>La Linux\u00a0Foundation <a href=\"https:\/\/lore.kernel.org\/linux-cve-announce\/2026042214-CVE-2026-31431-3d65@gregkh\/\" target=\"_blank\" rel=\"noopener\">a publi\u00e9 un avis<\/a> contenant des informations d\u00e9taill\u00e9es sur les mesures d\u2019att\u00e9nuation de la CVE-2026-31431. Palo\u00a0Alto Networks recommande vivement d\u2019appliquer imm\u00e9diatement les mises \u00e0 jour du noyau publi\u00e9es par les fournisseurs. Si cette option n\u2019est pas envisageable, nous recommandons de suivre <a href=\"#post-180721-_zg1rezlvhwuy\" target=\"_blank\" rel=\"noopener\">les recommandations temporaires<\/a> visant \u00e0 d\u00e9sactiver le module vuln\u00e9rable jusqu\u2019\u00e0 ce que les correctifs puissent \u00eatre appliqu\u00e9s.<\/p>\n<p>L\u2019<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u00e9quipe de r\u00e9ponse \u00e0 incident d\u2019Unit\u00a042<\/a> peut \u00e9galement intervenir en cas de compromission ou r\u00e9aliser une \u00e9valuation proactive afin de r\u00e9duire votre niveau de risque.<\/p>\n<table style=\"width: 99.3188%;\">\n<tbody>\n<tr>\n<td style=\"width: 36.8773%;\"><b>Les vuln\u00e9rabilit\u00e9s dont il est question<\/b><\/td>\n<td style=\"width: 105.856%;\"><strong>\u00a0CVE-2026-31431<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-180721-_wven14kmgum2\"><\/a>D\u00e9tails de la CVE-2026-31431<\/h2>\n<p>La vuln\u00e9rabilit\u00e9 r\u00e9f\u00e9renc\u00e9e sous l\u2019identifiant CVE-2026-31431, connue sous le nom de Copy\u00a0Fail, est une faille logique d\u00e9terministe situ\u00e9e dans le sous-syst\u00e8me cryptographique du noyau Linux\u00a0\u2013 plus pr\u00e9cis\u00e9ment dans le module <span style=\"font-family: 'courier new', courier, monospace;\">algif_aead<\/span> de l\u2019interface\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">AF_ALG<\/span>.<\/p>\n<h3><a id=\"post-180721-_gjn0z5s9lche\"><\/a>Cause racine<\/h3>\n<p>La faille provient d\u2019une optimisation en place d\u00e9fectueuse introduite dans le noyau Linux en 2017, avec le commit <a href=\"https:\/\/github.com\/torvalds\/linux\/commit\/72548b093ee3\" target=\"_blank\" rel=\"noopener\">72548b093ee3<\/a>, pour le chiffrement AEAD. Cette optimisation a plus pr\u00e9cis\u00e9ment conduit <span style=\"font-family: 'courier new', courier, monospace;\">req-&gt;src<\/span> et <span style=\"font-family: 'courier new', courier, monospace;\">req-&gt;dst<\/span> \u00e0 pointer vers une scatterlist combin\u00e9e. Les pages du cache de pages issues de l\u2019appel\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">splice()<\/span> ont ainsi \u00e9t\u00e9 cha\u00een\u00e9es de mani\u00e8re incorrecte directement dans la scatterlist de destination accessible en \u00e9criture.<\/p>\n<p>Lors des op\u00e9rations cryptographiques, l\u2019algorithme <span style=\"font-family: 'courier new', courier, monospace;\">authencesn<\/span> utilise incorrectement le tampon de destination de l\u2019appelant comme tampon de travail. Il \u00e9crit ainsi quatre octets contr\u00f4l\u00e9s au-del\u00e0 de la r\u00e9gion de sortie l\u00e9gitime, en franchissant une limite de scatterlist cha\u00een\u00e9e, sans les restaurer ensuite. Le correctif, introduit avec le commit <a href=\"https:\/\/www.google.com\/url?sa=E&amp;q=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa664bf3d603dc3bdcf9ae47cc21e0daec706d7a5\" target=\"_blank\" rel=\"noopener\">a664bf3d603d<\/a>, r\u00e9sout le probl\u00e8me en r\u00e9tablissant un traitement hors place, avec des scatterlists source et destination s\u00e9par\u00e9es. Les pages du cache de pages restent ainsi strictement cantonn\u00e9es \u00e0 la source en lecture seule.<\/p>\n<h3><a id=\"post-180721-_6lxwwre1t23z\"><\/a>M\u00e9canisme d\u2019action<\/h3>\n<p>Un cyberattaquant non privil\u00e9gi\u00e9 peut exploiter cette erreur de gestion m\u00e9moire en d\u00e9tournant l\u2019interaction entre l\u2019interface de socket\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">AF_ALG<\/span> et l\u2019appel syst\u00e8me\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">splice()<\/span>. Lorsque <span style=\"font-family: 'courier new', courier, monospace;\">splice()<\/span> transmet des pages du cache de pages au sous-syst\u00e8me cryptographique, la vuln\u00e9rabilit\u00e9 permet au cyberattaquant d\u2019orienter cette \u00e9criture de quatre octets directement dans le cache de pages de fichiers du noyau.<\/p>\n<p>L\u2019algorithme <span style=\"font-family: 'courier new', courier, monospace;\">authencesn<\/span> est utilis\u00e9 pour la prise en charge des num\u00e9ros de s\u00e9quence \u00e9tendus\u00a0(ESN) dans IPsec. Il utilise le tampon de destination comme tampon de travail afin de r\u00e9organiser ces num\u00e9ros de s\u00e9quence. Le cyberattaquant contr\u00f4le la valeur exacte de l\u2019\u00e9criture de quatre octets en fournissant <span style=\"font-family: 'courier new', courier, monospace;\">seqno_lo<\/span>, c\u2019est-\u00e0-dire la moiti\u00e9 basse du num\u00e9ro de s\u00e9quence, dans les octets\u00a04 \u00e0 7 des donn\u00e9es authentifi\u00e9es associ\u00e9es\u00a0(AAD) lors de l\u2019appel <span style=\"font-family: 'courier new', courier, monospace;\">sendmsg()<\/span>.<\/p>\n<h3><a id=\"post-180721-_dmugjiwpws63\"><\/a>Exploitation via le cache de pages<\/h3>\n<p>Le cache de pages est la copie temporaire en m\u00e9moire d\u2019un fichier, que le noyau lit lorsqu\u2019il charge un binaire en vue de son ex\u00e9cution. Un cyberattaquant peut exploiter l\u2019\u00e9criture de quatre octets pour cibler le cache de pages de tout binaire setuid-root lisible, comme <span style=\"font-family: 'courier new', courier, monospace;\">\/usr\/bin\/su<\/span>, sudo ou <span style=\"font-family: 'courier new', courier, monospace;\">passwd<\/span>.<\/p>\n<p>Le cyberattaquant contr\u00f4le pr\u00e9cis\u00e9ment l\u2019emplacement de l\u2019\u00e9criture en manipulant le d\u00e9calage\u00a0splice, la longueur\u00a0splice et le param\u00e8tre\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">assoclen<\/span>, ou longueur associ\u00e9e. Il peut ainsi cibler sp\u00e9cifiquement la section\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">.text<\/span> d\u2019un binaire\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">setuid<\/span>, comme <span style=\"font-family: 'courier new', courier, monospace;\">\/usr\/bin\/su<\/span>, afin d\u2019y injecter son shellcode.<\/p>\n<ul>\n<li><strong>Escalade de privil\u00e8ges\u00a0\u2013<\/strong> La modification de la copie en cache du binaire alt\u00e8re son contexte d\u2019ex\u00e9cution. Lorsque le binaire est ex\u00e9cut\u00e9, il accorde au cyberattaquant des privil\u00e8ges de superutilisateur\u00a0(UID <span style=\"font-family: 'courier new', courier, monospace;\">0<\/span>), ce qui revient \u00e0 rompre les limites de confiance du noyau.<\/li>\n<li><strong>Furtivit\u00e9\u00a0\u2013<\/strong> Cette corruption s\u2019effectuant enti\u00e8rement dans la RAM du syst\u00e8me, le fichier physique pr\u00e9sent sur le disque reste totalement inchang\u00e9. Cela permet de contourner les chemins traditionnels du syst\u00e8me de fichiers virtuel\u00a0(VFS) et les outils de surveillance de l\u2019int\u00e9grit\u00e9 des fichiers. Une fois la page \u00e9vinc\u00e9e de la m\u00e9moire, ou apr\u00e8s le red\u00e9marrage du syst\u00e8me, le cache est recharg\u00e9 proprement depuis le disque, sans laisser de trace de la compromission.<\/li>\n<\/ul>\n<h4><a id=\"post-180721-_hjri8vmwraii\"><\/a>Caract\u00e9ristiques de l\u2019exploit<\/h4>\n<p>Ce qui rend Copy\u00a0Fail exceptionnellement s\u00e9v\u00e8re par rapport \u00e0 d\u2019anciennes vuln\u00e9rabilit\u00e9s\u00a0LPE Linux comme <a href=\"https:\/\/www.redhat.com\/es\/blog\/understanding-and-mitigating-dirty-cow-vulnerability\" target=\"_blank\" rel=\"noopener\">Dirty\u00a0Cow<\/a> ou <a href=\"https:\/\/access.redhat.com\/security\/vulnerabilities\/RHSB-2022-002\" target=\"_blank\" rel=\"noopener\">Dirty\u00a0Pipe<\/a>, c\u2019est \u00e0 la fois sa fiabilit\u00e9 et sa simplicit\u00e9\u00a0:<\/p>\n<ul>\n<li><strong>Aucune condition de concurrence ou d\u00e9calage\u00a0\u2013<\/strong> Il s\u2019agit d\u2019une faille logique lin\u00e9aire, qui ne d\u00e9pend pas de la capacit\u00e9 \u00e0 exploiter une fen\u00eatre de condition de concurrence, ni \u00e0 deviner des d\u00e9calages m\u00e9moire propres \u00e0 une version donn\u00e9e du noyau.<\/li>\n<li><strong>Fiabilit\u00e9 de 100\u00a0%\u00a0\u2013<\/strong> L\u2019exploit est d\u00e9terministe et aboutit d\u00e8s la premi\u00e8re tentative.<\/li>\n<li><strong>Forte portabilit\u00e9\u00a0\u2013<\/strong> L\u2019exploit peut \u00eatre ex\u00e9cut\u00e9 au moyen d\u2019un script\u00a0Python autonome de 732\u00a0octets, reposant uniquement sur des biblioth\u00e8ques standard (os, socket, zlib). Il ne n\u00e9cessite donc ni compilation, ni d\u00e9pendances externes. Le m\u00eame script fonctionne sans modification sur la quasi-totalit\u00e9 des grandes distributions\u00a0Linux publi\u00e9es depuis 2017.<\/li>\n<\/ul>\n<h2><a id=\"post-180721-_zg1rezlvhwuy\"><\/a>Recommandations temporaires pour la CVE-2026-31431<\/h2>\n<p>La vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans les branches stables upstream du noyau\u00a0Linux par l\u2019annulation de l\u2019optimisation d\u00e9fectueuse introduite en 2017, avec le commit <a href=\"https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/stable\/linux.git\/commit\/?id=a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5\" target=\"_blank\" rel=\"noopener\">a664bf3d603d<\/a>.<\/p>\n<p>Si l\u2019application imm\u00e9diate des correctifs n\u2019est pas possible, les administrateurs doivent mettre en \u0153uvre une mesure d\u2019att\u00e9nuation temporaire en d\u00e9sactivant le module\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">algif_aead<\/span> affect\u00e9. Pour ce faire, ils peuvent ex\u00e9cuter les commandes suivantes en tant que root afin d\u2019emp\u00eacher le chargement du module et de le retirer du noyau\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">echo \"install algif_aead \/bin\/false\" &gt; \/etc\/modprobe.d\/disable-algif.conf<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">rmmod algif_aead<\/span><\/li>\n<\/ul>\n<p>La Linux\u00a0Foundation <a href=\"https:\/\/lore.kernel.org\/linux-cve-announce\/2026042214-CVE-2026-31431-3d65@gregkh\/\" target=\"_blank\" rel=\"noopener\">a publi\u00e9 un avis<\/a> contenant des informations d\u00e9taill\u00e9es sur les mesures d\u2019att\u00e9nuation de la CVE-2026-31431.<\/p>\n<h2><a id=\"post-180721-_vgezw6a4uez\"><\/a>Requ\u00eates de l\u2019\u00e9quipe threat\u00a0hunting manag\u00e9 d\u2019Unit\u00a042<\/h2>\n<p>L\u2019\u00e9quipe de threat hunting d\u2019Unit\u00a042 continue de surveiller activement toute tentative d\u2019exploitation de cette CVE chez nos clients, \u00e0 l\u2019aide de Cortex\u00a0XDR et des requ\u00eates\u00a0XQL ci-dessous. Les clients Cortex\u00a0XDR peuvent \u00e9galement utiliser ces requ\u00eates pour rechercher d\u2019\u00e9ventuels indicateurs d\u2019exploitation.<\/p>\n<pre class=\"lang:default decode:true\">\/\/ Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process\r\n\/\/ Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself. May identify false positives, yet works well for identification of potential CopyFail exploitation.\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1068\r\n\r\ndataset = xdr_data\r\n| fields _time, agent_hostname, agent_os_type, event_type, event_sub_type, actor_effective_username, actor_effective_user_sid, actor_process_image_path, actor_process_image_name, actor_process_command_line, actor_process_image_sha256, action_process_image_name, action_process_image_command_line, action_process_user_sid\r\n| filter\r\n    event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n    and agent_os_type = ENUM.AGENT_OS_LINUX\r\n    and actor_effective_user_sid != \"0\"\r\n    and (\r\n        (action_process_image_name = \"su\" and action_process_image_command_line in (\"su\", \"\/usr\/bin\/su\"))\r\n        or (action_process_image_name in (\"bash\", \"sh\") and action_process_image_command_line ~= \"-c(?:\\s--)?\\ssu$\")\r\n    )\r\n   and actor_process_image_name not in (\"bash\", \"sh\", \"zsh\", \"ksh\", \"sudo\", \"su\")\r\n| comp earliest(_time) as first_seen, latest(_time) as last_seen, count() as execution_count, values(actor_effective_username) as actor_usernames,  values(actor_process_image_path) as actor_image_paths, values(actor_process_command_line) as actor_cmd_lines, values(action_process_image_command_line) as action_cmd_lines, values(action_process_user_sid) as action_UIDs by agent_hostname, actor_process_image_name, actor_process_image_sha256<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Title: CopyFail Proof of Concept Code Execution\r\n\/\/ Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions. May identify false positives, yet works well for identification of CopyFail POC provided by Xint.Code.\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1068\r\n\r\nconfig case_sensitive = false\r\n| dataset = xdr_data\r\n| filter agent_os_type = ENUM.AGENT_OS_LINUX\r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n| filter action_process_image_name in (\"curl\", \"su\")\r\n| bin _time span = 2m\r\n| filter action_process_image_command_line contains \"copy.fail\/exp\" or (action_process_image_command_line = \"su\" or action_process_image_command_line =\"\/usr\/bin\/su\")\r\n| fields _time, agent_id, event_id, agent_hostname, action_process_image_command_line, action_process_image_name, actor_process_instance_id\r\n| comp count() as event_count, values(agent_id) as agent_id, values(event_id) as event_id, values(action_process_image_name) as processes, values(action_process_image_command_line) as commands by agent_hostname, _time, actor_process_instance_id\r\n| filter processes contains \"su\" and processes contains \"curl\"<\/pre>\n<h2><a id=\"post-180721-_6kajjrwpgjuu\"><\/a>Conclusion<\/h2>\n<p>Compte tenu du volume d\u2019informations publiquement disponibles, de la simplicit\u00e9 d\u2019utilisation de l\u2019exploit Copy\u00a0Fail et de son efficacit\u00e9, Palo\u00a0Alto Networks recommande vivement d\u2019appliquer imm\u00e9diatement les mises \u00e0 jour du noyau publi\u00e9es par les fournisseurs. Si cette option n\u2019est pas envisageable, nous recommandons de suivre les recommandations temporaires visant \u00e0 d\u00e9sactiver le module vuln\u00e9rable jusqu\u2019\u00e0 ce que les correctifs puissent \u00eatre appliqu\u00e9s.<\/p>\n<p>Cette mesure est d\u2019autant plus importante qu\u2019un script de preuve de concept\u00a0(PoC) hautement fiable est d\u00e9j\u00e0 accessible publiquement et que des activit\u00e9s pr\u00e9liminaires de test ont \u00e9t\u00e9 observ\u00e9es.<\/p>\n<p>Les clients Palo\u00a0Alto Networks b\u00e9n\u00e9ficient d\u2019une protection renforc\u00e9e gr\u00e2ce \u00e0 nos solutions, comme d\u00e9taill\u00e9 ci-dessous.<\/p>\n<h2><a id=\"post-180721-_lqzcx8cug942\"><\/a>Protections des produits Palo\u00a0Alto Networks contre la CVE-2026-31431<\/h2>\n<p>Les clients Palo\u00a0Alto\u00a0Networks peuvent s\u2019appuyer sur un large \u00e9ventail de protections int\u00e9gr\u00e9es aux produits et de mises \u00e0 jour pour identifier et contrer cette menace.<\/p>\n<p>Vous pensez que votre entreprise a \u00e9t\u00e9 compromise\u00a0? Vous devez faire face \u00e0 une urgence\u00a0? Contactez <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">l\u2019\u00e9quipe Unit\u00a042 de r\u00e9ponse \u00e0 incident<\/a> ou composez l\u2019un des num\u00e9ros suivants\u00a0:<\/p>\n<ul>\n<li>Am\u00e9rique du Nord\u00a0: Gratuit\u00a0: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Royaume-Uni\u00a0: +44\u00a020\u00a03743\u00a03660<\/li>\n<li>Europe et Moyen-Orient\u00a0: +31.20.299.3130<\/li>\n<li>Asie\u00a0: +65.6983.8730<\/li>\n<li>Japon\u00a0: +81\u00a050\u00a01790\u00a00200<\/li>\n<li>Australie\u00a0: +61.2.4062.7950<\/li>\n<li>Inde\u00a0: 000 800 050 45107<\/li>\n<li>Cor\u00e9e du Sud\u00a0: +82.080.467.8774<\/li>\n<\/ul>\n<h3><a id=\"post-180721-_jlr298x3ynzm\"><\/a>Next-Generation Firewall avec Advanced Threat Prevention<\/h3>\n<p><a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Next-Generation Firewall<\/span><\/a> associ\u00e9s \u00e0 l\u2019abonnement de s\u00e9curit\u00e9 <a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0Threat Prevention<\/a> permettent de bloquer la transmission de scripts d\u2019exploitation sur le r\u00e9seau gr\u00e2ce \u00e0 la signature Threat\u00a0Prevention suivante\u00a0: 97176 - Linux Kernel Privilege Escalation Vulnerability.<\/p>\n<h3><a id=\"post-180721-_2m49v0ag38qw\"><\/a>Cortex\u00a0XDR et XSIAM<\/h3>\n<p>L\u2019agent Cortex\u00a0XDR pour Linux, \u00e0 partir de la mise \u00e0 jour de contenu 2240-35441, int\u00e8gre des capacit\u00e9s de d\u00e9tection et de pr\u00e9vention pour les \u00e9chantillons connus associ\u00e9s \u00e0 la vuln\u00e9rabilit\u00e9 Copy\u00a0Fail.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0XDR<\/a> et <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/datasheets\/cortex-xsiam-aag\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a> contribuent \u00e0 prot\u00e9ger contre les activit\u00e9s de pr\u00e9-exploitation et de post-exploitation gr\u00e2ce \u00e0 une approche de protection multicouche, qui inclut <a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a>, <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XDR\/Cortex-XDR-3.x-Documentation\/Malware-protection\" target=\"_blank\" rel=\"noopener\">Endpoint Protection Modules<\/a> (EPM), Behavioral Threat Protection et le module Local\u00a0Analysis.<\/p>\n<h3><a id=\"post-180721-_m5cvrg1ww3e6\"><\/a>Cortex\u00a0Cloud<\/h3>\n<p><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-CLOUD\/Cortex-Cloud-Runtime-Security-Documentation\/Endpoint-protection\" target=\"_blank\" rel=\"noopener\">La protection des terminaux Cortex\u00a0Cloud<\/a> peut aider les organisations \u00e0 se prot\u00e9ger contre les menaces d\u00e9crites dans le pr\u00e9sent article. <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/cloud-security\/visibility-governance-automation\/\" target=\"_blank\" rel=\"noopener\">Cortex Cloud\u00a02.1 peut<\/a> d\u00e9tecter et pr\u00e9venir les op\u00e9rations malveillantes gr\u00e2ce \u00e0 des analyses comportementales et optimis\u00e9es par l\u2019IA, afin d\u2019identifier les cas o\u00f9 des cyberattaquants ciblent des terminaux Linux, y compris des conteneurs et des machines virtuelles. La solution peut \u00e9galement d\u00e9tecter les cas d\u2019utilisation abusive des politiques\u00a0IAM de plateformes cloud associ\u00e9es \u00e0 ces terminaux cibl\u00e9s, et alerter les \u00e9quipes lorsque des assets sont vuln\u00e9rables \u00e0 ces menaces.<\/p>\n<p><em>Mis \u00e0 jour le 6\u00a0mai 2026 \u00e0 15h15 PT afin d\u2019\u00e9tendre la couverture relative \u00e0 Cortex\u00a0XDR et XSIAM, et d\u2019ajouter les Next-Generation Firewalls avec Advanced\u00a0Threat Prevention. <\/em><\/p>\n<p><em>Mis \u00e0 jour le 7\u00a0mai 2026 \u00e0 14h00 PT afin de modifier la version de contenu Cortex\u00a0XDR.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.<\/p>\n","protected":false},"author":366,"featured_media":180194,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8769,8850],"tags":[9226,10098,9294,9846,10099,10101,10100],"product_categories":[9041,9046,9053,9064,9151],"coauthors":[9896],"class_list":["post-180721","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-top-cyberthreats-fr","category-vulnerabilities-fr","tag-containers-fr","tag-cve-2026-31431","tag-kubernetes-fr","tag-linux-fr","tag-local-privilege-escalation","tag-page-cache","tag-vulnerability","product_categories-cortex-fr","product_categories-cortex-cloud-fr","product_categories-cortex-xdr-fr","product_categories-cortex-xsiam-fr","product_categories-unit-42-incident-response-fr"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es<\/title>\n<meta name=\"description\" content=\"Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es\" \/>\n<meta property=\"og:description\" content=\"Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-05T19:56:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-14T20:07:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Justin Moore\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es","description":"Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/","og_locale":"fr_FR","og_type":"article","og_title":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es","og_description":"Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.","og_url":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/","og_site_name":"Unit 42","article_published_time":"2026-05-05T19:56:49+00:00","article_modified_time":"2026-05-14T20:07:36+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg","type":"image\/jpeg"}],"author":"Justin Moore","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/"},"author":{"name":"Sheida Azimi","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"headline":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es","datePublished":"2026-05-05T19:56:49+00:00","dateModified":"2026-05-14T20:07:36+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/"},"wordCount":2060,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg","keywords":["Containers","CVE-2026-31431","Kubernetes","Linux","local privilege escalation","page cache","vulnerability"],"articleSection":["Menaces de grande envergure","Vuln\u00e9rabilit\u00e9s"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/","url":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/","name":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg","datePublished":"2026-05-05T19:56:49+00:00","dateModified":"2026-05-14T20:07:36+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"description":"Copy Fail (CVE-2026-31431) est une faille critique d\u2019escalade locale des privil\u00e8ges (LPE) dans le noyau Linux, qui permet d\u2019obtenir un acc\u00e8s root furtif. Et cette menace affecte des millions de syst\u00e8mes. Retrouvez notre analyse.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/05_Vulnerabilities_1920x900-2-1.jpg","width":1920,"height":900,"caption":"Pictorial representation of a severe Linux vulnerability. Close-up of a woman wearing glasses and focusing intently on a computer screen."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/cve-2026-31431-copy-fail\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Copy Fail : anatomie de la faille Linux la plus critique de ces derni\u00e8res ann\u00e9es"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639","name":"Sheida Azimi","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Sheida Azimi"},"url":"https:\/\/unit42.paloaltonetworks.com\/fr\/author\/sheida-azimi\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/users\/366"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/comments?post=180721"}],"version-history":[{"count":5,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180721\/revisions"}],"predecessor-version":[{"id":180726,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180721\/revisions\/180726"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media\/180194"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media?parent=180721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/categories?post=180721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/tags?post=180721"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/product_categories?post=180721"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/coauthors?post=180721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}