Table of Contents Table of Contents Introduction The vulnerability Analyzing the shellcode Setting up the lab Setting up rootless Podman Running the exploit inside a container Tracing the exploit mechanism Why rootless containers stopped the escalation Catching the kernel in the act with eBPF The uid_map proof Conclusions Introduction In the previous post about SELinux MCS and GitLab runners, I briefly mentioned CVE-2026-31431 (“Copy Fail”) as a motivating example for per-job VM isolation. After that post went out I spent the weekend setting up a lab to actually run the exploit, trace it at the syscall level, and verify that the rootless Podman architecture we deploy on GNOME’s runners would contain it. This post documents the entire process: from disassembling the shellcode to watching the kernel reject the privilege escalation in real time.…