TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Hacker News (front page)

CVE-2026-31431: Copy Fail vs. rootless containers

1 day ago · Read original ↗

ATT&CK techniques detected

14 predictions
T1068Exploitation for Privilege Escalation
93%
“reject the privilege escalation in real time. the vulnerability for a full technical breakdown of the root cause, the scatterlist mechanics, and the disclosure timeline, read theori ’ s excellent writeup at xint. io / blog / copy - fail - linux - distributions. in this blog post …”
T1059.004Unix Shell
92%
“##ve ( " / bin / sh ", null, null ). the clean exit ( offsets 0x8f to 0x94 ) : 8f : 31 ff xor % edi, % edi 91 : 6a 3c push $ 0x3c 93 : 58 pop % rax 94 : 0f 05 syscall if execve somehow fails, the payload calls exit ( 0 ) ( syscall 60 ) rather than crashing. the hardcoded string (…”
T1611Escape to Host
91%
“responded with : - 1 process 27419 ( su ) attempting setuid ( 0 )...... kernel responded with : 0 the - 1 response ( eperm ) correspond to the run where strace was attached. when ptrace is active on a process that executes a suid binary, the kernel preemptively strips the suid pr…”
T1611Escape to Host
82%
“the entire malicious elf payload is staged into the page cache. at the end : 170 execve ( " / usr / sbin / su ", [ " su " ], 0x559f5d7fbe50 / * 22 vars * / ) = 0 170 execve ( " / bin / sh ", null, null ) = 0 the script executes su, which loads from the corrupted page cache and ru…”
T1611Escape to Host
78%
“##c / self / uid _ map 0 1000 1 1 100000 65536 65537 524288 65536 the first line is the critical one : 0 1000 1 means uid 0 ( root ) inside the container is mapped to uid 1000 on the host — my unprivileged podman user. the remaining lines map the subordinate uid ranges we configu…”
T1611Escape to Host
75%
“cve - 2026 - 31431 : copy fail vs. rootless containers cve - 2026 - 31431 : copy fail vs. rootless containers 04 may 2026 table of contents - table of contents - introduction - the vulnerability - analyzing the shellcode - setting up the lab - setting up rootless podman - running…”
T1610Deploy Container
74%
“- initrd - inject = / tmp / vm. ks \ - - extra - args = " inst. ks = file : / vm. ks console = ttys0, 115200n8 " \ - - graphics none setting up rootless podman on the fedora vm, i configured rootless podman following the same patterns we use on gnome ’ s gitlab runners — a dedica…”
T1068Exploitation for Privilege Escalation
73%
“unprivileged uids on the host. the kernel allows setuid ( 0 ) to succeed because uid 0 inside the namespace is a valid identity — but it is mapped to an unprivileged host user. as we verify in the uid _ map proof section below, container root ( uid 0 ) maps directly to uid 1000 o…”
T1055.001Dynamic-link Library Injection
63%
“0x80 to 0x8d ) : 80 : 48 8d 3d 0f 00 00 00 lea 0xf ( % rip ), % rdi 87 : 31 f6 xor % esi, % esi 89 : 6a 3b push $ 0x3b 8b : 58 pop % rax 8c : 99 cltd 8d : 0f 05 syscall lea 0xf ( % rip ), % rdi is a rip - relative load — it looks 15 bytes ahead of the current instruction pointer,…”
T1610Deploy Container
57%
“##c / self / uid _ map 0 1000 1 1 100000 65536 65537 524288 65536 the first line is the critical one : 0 1000 1 means uid 0 ( root ) inside the container is mapped to uid 1000 on the host — my unprivileged podman user. the remaining lines map the subordinate uid ranges we configu…”
T1055.001Dynamic-link Library Injection
43%
“raw _ payload ) print ( f " payload extracted : { len ( raw _ payload ) } bytes " ) running file on the extracted binary confirms what we expect : shellcode. bin : elf 64 - bit lsb executable, x86 - 64, version 1 ( sysv ), statically linked... this is not raw shellcode — it is a …”
T1027Obfuscated Files or Information
42%
“raw _ payload ) print ( f " payload extracted : { len ( raw _ payload ) } bytes " ) running file on the extracted binary confirms what we expect : shellcode. bin : elf 64 - bit lsb executable, x86 - 64, version 1 ( sysv ), statically linked... this is not raw shellcode — it is a …”
T1068Exploitation for Privilege Escalation
36%
“to. setting up the lab to reproduce the vulnerability i provisioned a fedora 43 vm using virt - install. the kernel i had installed was 6. 17. 1 - 300. fc43. x86 _ 64, which predates the fix entirely — the patch was backported into the stable 6. 19. x tree starting with 6. 19. 12…”
T1014Rootkit
33%
“4 step by step : - the script creates an af _ alg socket — the kernel ’ s userspace cryptographic api, available to unprivileged users by default - it binds to authencesn ( hmac ( sha256 ), cbc ( aes ) ), the specific cipher whose esn scratch write triggers the bug sendmsg delive…”

Summary

Comments