## https://sploitus.com/exploit?id=190CD5FA-441F-52DB-93FA-E3F513533028
## Vulnerability Overview
| Item | Content |
| ------------- | ---------------------------------------------------- |
| CVE Number | CVE-2026-31431 |
| Vulnerability Name | Copy Fail |
| Vulnerability Type | Linux Kernel Local Elevation (LPE) |
| CVSS Score | 7.8 (HIGH) |
| CWE | CWE-669: Incorrect Resource Transfer Between Spheres |
| Impact Scope | All Linux kernels built between 2017 and 2026-04 |
| CISA KEV | Listed; Fixing date: 2026-05-15 |
| Public Date | 2026-04-29 |
### Vulnerability Details
In 2017, an in-place optimization was introduced in the `algif_aead` encryption module of the kernel. This optimization caused page-cache entries to be incorrectly placed in writable target scatterlists. An attacker can use the `AF_ALG` socket combined with the `splice()` system call to write data to the page cache of any file, including all read-only files owned by the root user. **Attack Chain**: `AF_ALG socket` β `splice()` β page-cache writing primitive β tampering with setuid binary filesβ page caches β executing the file to gain root privileges.
**Characteristics of the attack:**
- No race conditions (direct logical flaws)
- No need for kernel debugging features
- No need for specific architecture offsets
- The exploit script is only ~732 bytes in size, effective across all mainstream distributions
---
## Impacted Distributions
### Verified Impacted Distributions
| Distribution | Affected Kernel Versions |
|------------------|-----------------------------------------|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 10.1 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
The same range of kernels is also affected in distributions like Debian, Arch, Fedora, Rocky, Alma, Oracle, etc. ### Affected Kernel Version Range
All kernel versions below the following repair levels are affected:
| Stable Branch | Minimum Repair Version |
|----------------|------------------------|
| 5.10.x | β₯ 5.10.254 |
| 5.15.x | β₯ 5.15.204 |
| 6.1.x | β₯ 6.1.170 |
| 6.6.x | β₯ 6.6.137 |
| 6.12.x | β₯ 6.12.85 |
| 6.18.x | β₯ 6.18.22 |
| 6.19.x | β₯ 6.19.12 |
| 7.0.x | β₯ 7.0-rc7 |
---
## Troubleshooting Steps
### 1. Check Kernel Version
```bash
uname -r
```
Compare the output with the repair versions listed above. If the version is lower, it indicates an impact. ### 2. Check AF_ALG Connections
```bash
# Check if there are AF_ALG connections currently
lsof | grep AF_ALG
# Check the status of AF_ALG sockets
ss -xa | grep alg
```
### 3. Check Whether the algif_aead Module Is Loaded
```bash
lsmod | grep algif_aead
```
If any output appears, it indicates that the module is loaded, and there is a risk of exploitation. ### 4. Vulnerability Verification (Only in Authorized Testing Environment)
```bash
# Clone the PoC repository
cd copy-fail-CVE-2026-31431
# Run the PoC (requires non-privileged user access)
python3 copy_fail_exp.py
```
If the PoC successfully gains root shell, it indicates that the system has this vulnerability.