Flashbox Incident Report: April 30, 2026

The Flashbots Ship
,
1

What happened

On April 30 we identified that Flashbox images built before that date were running an unpatched Linux kernel affected by CVE-2026-31431 (copy.fail), publicly disclosed the day before. As a precaution, we paused orderflow streaming to production Flashboxes while we scoped the impact and communicated the change to Flashbox searchers. We then shipped a kernel bump that includes the upstream fix and rebuilt the images. Orderflow streaming resumed once searchers migrated to the rebuilt image.

Root Cause

CVE-2026-31431 (copy.fail) was publicly disclosed on April 29. The bug is in the Linux kernel’s algif_aead interface: an unprivileged user who can call socket(AF_ALG, SOCK_SEQPACKET, 0) and splice() can write 4 bytes into any page-cache page of a file they can read, via the authencesn AEAD’s ESN rearrangement. Flashbox was running an unpatched Debian 6.18 kernel with CONFIG_CRYPTO_USER_API_AEAD=y, which exposes that entry point.

In simpler terms: this class of bug lets a process running as an unprivileged local user, including one inside a container, escalate to root on the host, which would effectively be a container escape with full system access.

Timeline (UTC)

  • April 29 - CVE-2026-31431 disclosed (xint.io, copy.fail, oss-security).
  • April 30, ~08:00 - Internal investigation of impact on Flashbox begins. Orderflow streaming to production Flashboxes paused as a precaution; change communicated to Flashbox searchers.
  • April 30, ~09:30 - Investigation continues; no exploitation observed on the deployed image.
  • April 30, ~10:30 - Fix scoped: kernel bump to Debian’s 6.19 backport.
  • April 30, ~11:30 - PR #138 merged (KERNEL_VERSION=6.186.19, snapshot 20260301T083349Z20260430T025253Z).
  • April 30, ~13:00 - Rebuilt images deployed. Flashbox searchers migrated to the rebuilt image. Functional testing passed. Orderflow streaming resumed.

Impact

  • All Flashbox images built before April 30 carry an unpatched kernel exposing the copy.fail primitive.
  • No exploitation observed.
  • Orderflow streaming to production Flashboxes was paused for the duration of the response.
  • Flashbox searchers were migrated to the rebuilt image.

Resolution

PR #138 bumps KERNEL_VERSION to 6.19 and the Debian snapshot to 20260430T025253Z. That pulls linux-source-6.19_6.19.13-1~bpo13+1 from trixie-backports, whose changelog carries the upstream fix a664bf3d603d (“crypto: algif_aead - Revert to operating out-of-place”) and its authencesn follow-up. Distribution remains Debian trixie; only the kernel package source moved to the 6.19 line that already includes the fix.

Lessons Learned

What went well

  • Layered defenses already in place on the image (mount-namespace boundary, restricted searchersh shell, narrow sudo allow-list, RAM-backed rootfs) provided defense in depth alongside the unpatched kernel.
  • Pausing orderflow streaming during the response window kept Flashbox searchers informed and limited exposure while the fix was prepared.
  • Within 3-4 hours we triaged, fixed, merged, rebuilt and resumed Flashbox operations normally again.

What we’re improving

  • The searcher container already runs under a custom seccomp profile. We are extending it to explicitly block the AF_ALG socket family, the entry point used by this attack class, as a follow-up.
  • Beyond this fix, we are continuing to invest in kernel- and image-level hardening as part of ongoing security work.