CVE-2026-31431

## Description

[CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), also known as [Copy Fail](https://copy.fail), is a local privilege escalation vulnerability in the Linux kernel's `algif_aead` crypto subsystem. A logic flaw in `authencesn`, combined with the `AF_ALG` socket family and the `splice()` system call, allows an unprivileged local user to perform a 4-byte page-cache write that leads to full root access. The exploit is reliable, requires no race conditions or kernel-specific offsets, and affects every Linux kernel built since 2017. It carries a CVSS v3.1 score of **7.8 (HIGH)** and was added to the CISA KEV catalog on May 1, 2026.

## Impact

There is no downtime expected from this change. The `algif_aead` kernel module is unloaded on all nodes and blacklisted so it cannot be reloaded. A filesystem cache flush is performed afterward to ensure clean state.

## Changes

- Places a boot hook (`00-copy-fail-mitigation`) on the shared storage at `/mnt/jrc-comms/hooks/boot.d/` so the mitigation is applied automatically on every instance boot, even after AMI replacements.
- The hook blacklists the `algif_aead` module via `/etc/modprobe.d/p013c-disable-algif_aead.conf` and unloads it if currently loaded.
- Runs the hook immediately on all nodes so the mitigation takes effect without waiting for a reboot.
- Flushes filesystem caches on all nodes after the mitigation is applied.

## If You Accept

The `algif_aead` kernel module will be unloaded and blacklisted across all instances, closing this attack vector. The boot hook ensures the mitigation persists across reboots and new instances. Once a patched kernel is rolled out, the hook is harmless to leave in place.

## If You Reject

The `algif_aead` module will remain loaded, leaving your instances vulnerable to local privilege escalation by any unprivileged user with shell access.