Lab walkthrough of CVE-2026-31431 (“Copy Fail”) showing rootless Podman’s user namespace UID mapping blocks the privilege escalation on GNOME’s GitLab runners.
Key Takeaways
The exploit uses AF_ALG sockets (authencesn/hmac-sha256/cbc-aes) and splice() to write shellcode into the /usr/bin/su page cache without touching the filesystem or requiring write permissions.
The embedded payload is a fully formed ELF binary using ELF golfing (stripped section headers) that calls setuid(0) then execve(“/bin/sh”); objdump -D -b binary -m i386:x86-64 is required to disassemble it.
Inside a rootless Podman container, setuid(0) returns 0 (success) but container UID 0 maps to host UID 1000 (the podman user), so no real privilege escalation reaches the host.
strace misses the setuid(0) call due to secureexec stripping SUID bits when ptrace is attached; bpftrace on the host via tracepoint:syscalls:sys_exit_setuid is the correct observation method.
Vulnerable kernel range: 6.17.x and earlier; fix backported into the stable 6.19.x tree starting at 6.19.12.
