cozystack / copy-fail-blocker

Public

BPF-LSM mitigation for CVE-2026-31431 (Copy Fail) — denies AF_ALG socket creation cluster-wide

100% credibility

Found May 03, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.

AI Analysis

Makefile

AI Summary

This project deploys a lightweight guard across server clusters to block a specific pathway used in a known security exploit.

How It Works

🔍 Hear about a security risk

You learn about a hidden flaw in server software that could let attackers gain full control.

🛡️ Find this protector

You discover a handy tool that stops this flaw by blocking a dangerous feature, without restarting your servers.

📥 Grab the setup

You download a ready-to-use file that makes it easy to add protection to your whole server group.

🚀 Switch it on

In moments, you activate the shield across every machine in your setup, feeling instant peace of mind.

🔍 Test the block

You run a simple check to confirm nothing sneaky can get through anymore.

🏆 Servers secured

Your system is now safe from that attack until the official update comes, keeping everything running smoothly.

Sign up to see the full architecture

4 more

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free

Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose

AI-Generated Review

What is copy-fail-blocker?

This BPF-LSM blocker deploys as a Kubernetes DaemonSet to deny AF_ALG socket creation cluster-wide, mitigating CVE-2026-31431 (Copy Fail)—a privilege-escalation bug letting unprivileged users overwrite setuid binaries via the kernel crypto API. Built in Go with BPF C programs and a Makefile for easy builds, it attaches to the socket_create hook and returns EPERM for any AF_ALG attempts, regardless of capabilities or namespaces. Users get a no-reboot defense that works on kernels like Talos Linux with BPF_LSM enabled.

Why is it gaining traction?

It stands out with host-wide coverage without reboots or custom kernels, unlike module blacklists or per-pod seccomp profiles—ideal for quick cluster-wide mitigation until patches land. The Makefile handles image builds, Helm deploys, and manifest generation, while a simple Python test verifies blocking instantly. Low overhead (5m CPU, 16Mi RAM) and critical priority ensure it runs reliably on tainted nodes.

Who should use this?

Kubernetes cluster operators on Talos or BPF_LSM-enabled kernels facing CVE-2026-31431 exposure in multi-tenant setups. Security teams bridging kernel patch gaps without disrupting production. DevOps engineers securing nodes against local exploits relying on AF_ALG splice tricks.

Verdict

Grab it for interim protection—deploy via kubectl apply or make apply, verify with the Python snippet, and monitor for pod restarts exposing brief windows. At 19 stars and 1.0% credibility, it's early but docs are thorough and verifiable; test in staging before prod.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.

Stars

Forks

Followers

Base stars: 19 stars

Penalty: Very new repo (2d): -70%

Bonus: AI verified quality (100%)

Account age: 421 days

Repo age: 3 days

License: Apache-2.0

Updated: May 03, 2026