Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator — Detection Rule
Detects kernel auto-loading of the authencesn crypto module via modprobe This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher (e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation, where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path, corrupting the page cache of SUID binaries for local privilege escalation. On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod) with 'modprobe' appearing in the command line.