Share
## https://sploitus.com/exploit?id=06A42047-9953-5C30-B971-3122F29C5C02
# Copy-Fail Exploit (CVE-2026-31431)

Local privilege escalation exploit targeting a Linux kernel copy-on-write vulnerability via AF_ALG sockets and splice operations.

---

## Overview

This exploit abuses a kernel-level memory corruption condition in the Linux crypto subsystem (`AF_ALG`) combined with zero-copy mechanisms (`splice`) to modify a privileged binary in memory.

By patching `/usr/bin/su` at runtime, it allows escalation to root without requiring valid credentials.

---

## Usage
Compile statically to be able to use in any Linux environment with no need of Python or aditional libraries.

```bash
gcc -o exploit exploit.c -lz -static
./exploit
```
---

## How It Works

1. Opens `/usr/bin/su`
2. Creates an `AF_ALG` AEAD socket
3. Triggers kernel memory corruption via crafted socket operations
4. Uses `splice()` syscalls for zero-copy memory manipulation
5. Overwrites authentication logic in memory
6. Executes patched `su` to obtain root shell

---

## Requirements

- Vulnerable Linux kernel version
- `CONFIG_CRYPTO_USER_API_AEAD` enabled
- User namespaces permitted
- Local shell access

---

## Detection & Mitigation

- Patch to a fixed kernel version once available
- Disable unprivileged user namespaces if not required:

    sysctl -w kernel.unprivileged_userns_clone=0

- Monitor suspicious use of:
  - `AF_ALG` sockets
  - `splice()` syscalls
- Apply kernel hardening (LSM, seccomp, etc.)

---

## Disclaimer

**For educational and authorized security research purposes only.**  
Unauthorized use of this exploit may violate applicable laws.
**I do not own the original code nor was the one to found the CVE.**

---

## Reference

- CVE: CVE-2026-31431  
- Component: Linux Kernel (`AF_ALG` / crypto subsystem)  
- Class: Use-After-Free / Copy-On-Write corruption