## https://sploitus.com/exploit?id=07EABEDC-F8C9-564C-BDD6-BE96F74F2F83
# CVE-2026-31431 ("Copy Fail") - Advanced LPE Proof-of-Concept - C Rewrite




An advanced, byte-perfect Local Privilege Escalation (LPE) Proof-of-Concept (PoC) for **CVE-2026-31431**, exploiting a logic flaw in the Linux kernel's cryptography subsystem (`algif_aead`).
This repository contains a highly optimized C implementation that reliably overwrites read-only Page Cache memory by manipulating the `AF_ALG` socket interface and the `splice()` system call.
## Vulnerability Overview
The vulnerability, dubbed "Copy Fail", allows an unprivileged local attacker to force the kernel to write cryptographic operation outputs directly into the memory-mapped pages of any file on the system. By targeting `/usr/bin/su`, this PoC achieves a zero-copy memory injection, granting an instant root shell without modifying the physical binary on disk.
## Cross-Distro Research & Compatibility Matrix
Extensive testing has been conducted across various modern Linux distributions to determine the exploitability window and observe patch behaviors.
| Operating System | Kernel Version | Vulnerable? | Observation / Root Cause |
| :--- | :--- | :---: | :--- |
| **Kali Linux 2026.1** | `6.18.12+kali-amd64` | โ **Yes** | Perfect exploitation. Root shell achieved. |
| **Linux Mint 22.3** | `6.14.0-37-generic` | โ **Yes** | Perfect exploitation. Root shell achieved. |
| **Ubuntu 22.04.5 LTS** | `6.8.0-111-generic` | โ **Yes** | Perfect exploitation. Root shell achieved. |
| **Ubuntu 24.04.4 LTS** | `6.8.0-111-generic` | โ **No** | `Protocol not available`. The OS restricts/disables the required `AF_ALG` netlink operations by default. |
| **Kali Linux 2026.1** | `6.19.14+kali-amd64` | โ **No** | **Patched (Silent Failure)**. `su` requests password normally. |
| **Ubuntu 26.04 LTS** | `7.0.0-15-generic` | โ **No** | **Patched (Silent Failure)**. `su` requests password normally. |
### Patch Analysis (The "Silent Failure")
On patched kernels (e.g., `6.19.14+` and `7.0.0+`), the exploit executes without crashing or throwing `EINVAL` (Silent Failure). The kernel successfully parses the raw Netlink `rtattr` headers but correctly enforces `VM_MAYWRITE` page permissions during the `splice()` write-back phase. It silently allocates a safe buffer instead of overwriting the read-only Page Cache of `/usr/bin/su`.
## Usage
### Compilation
```bash
gcc copy_fail_exp.c -o copy_fail_exp
chmod +x copy_fail_exp
```
### Running
```bash
./copy_fail_exp
```
### Expected Output (Vulnerable System):
```bash
[*] CVE-2026-31431 Research - Ultimate C Implementation
[+] Page Cache completely overwritten.
[+] Detonating modified binary...
# whoami
root
```
## Reference
- https://copy.fail/
- CVE-2026-31431
## Disclaimer
This code is released strictly for educational, defensive research, and threat modeling purposes. Do not execute this on production systems or any environment where you lack explicit authorization.