Blocking Copy Fail (CVE-2026-31431) in Kubernetes with Tetragon
Summary
This article details the Copy Fail CVE (CVE-2026-31431) impacting AF_ALG in the Linux kernel and its potential to escalate privileges in multi-tenant Kubernetes clusters. It explains practical mitigations: blocking AF_ALG at the syscall level with Tetragon using kprobes, using modprobe blacklist, and applying kernel patches when available. The piece also includes a deployment guide for Tetragon on AKS/EKS/GKE and a sample policy to block AF_ALG, plus notes on limitations and verification across different providers.