## https://sploitus.com/exploit?id=06A42047-9953-5C30-B971-3122F29C5C02
# Copy-Fail Exploit (CVE-2026-31431)
Local privilege escalation exploit targeting a Linux kernel copy-on-write vulnerability via AF_ALG sockets and splice operations.
---
## Overview
This exploit abuses a kernel-level memory corruption condition in the Linux crypto subsystem (`AF_ALG`) combined with zero-copy mechanisms (`splice`) to modify a privileged binary in memory.
By patching `/usr/bin/su` at runtime, it allows escalation to root without requiring valid credentials.
---
## Usage
Compile statically to be able to use in any Linux environment with no need of Python or aditional libraries.
```bash
gcc -o exploit exploit.c -lz -static
./exploit
```
---
## How It Works
1. Opens `/usr/bin/su`
2. Creates an `AF_ALG` AEAD socket
3. Triggers kernel memory corruption via crafted socket operations
4. Uses `splice()` syscalls for zero-copy memory manipulation
5. Overwrites authentication logic in memory
6. Executes patched `su` to obtain root shell
---
## Requirements
- Vulnerable Linux kernel version
- `CONFIG_CRYPTO_USER_API_AEAD` enabled
- User namespaces permitted
- Local shell access
---
## Detection & Mitigation
- Patch to a fixed kernel version once available
- Disable unprivileged user namespaces if not required:
sysctl -w kernel.unprivileged_userns_clone=0
- Monitor suspicious use of:
- `AF_ALG` sockets
- `splice()` syscalls
- Apply kernel hardening (LSM, seccomp, etc.)
---
## Disclaimer
**For educational and authorized security research purposes only.**
Unauthorized use of this exploit may violate applicable laws.
**I do not own the original code nor was the one to found the CVE.**
---
## Reference
- CVE: CVE-2026-31431
- Component: Linux Kernel (`AF_ALG` / crypto subsystem)
- Class: Use-After-Free / Copy-On-Write corruption