THREATOPS
THREAT OPSThreat News › From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents

From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents

lowdatadog_seclabsPublished 2026-05-28

CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session.

Indicators of compromise

Original source: https://securitylabs.datadoghq.com/articles/cve-2026-31431-copy-fail-exploit-detection-with-agents/