Share
## https://sploitus.com/exploit?id=190CD5FA-441F-52DB-93FA-E3F513533028
## Vulnerability Overview

| Item          | Content                                                 |
| ------------- | ---------------------------------------------------- |
| CVE Number    | CVE-2026-31431                                       |
| Vulnerability Name | Copy Fail                                          |
| Vulnerability Type | Linux Kernel Local Elevation (LPE)       |
| CVSS Score    | 7.8 (HIGH)                                           |
| CWE           | CWE-669: Incorrect Resource Transfer Between Spheres |
| Impact Scope   | All Linux kernels built between 2017 and 2026-04     |
| CISA KEV      | Listed; Fixing date: 2026-05-15                    |
| Public Date   | 2026-04-29                                           |

### Vulnerability Details

In 2017, an in-place optimization was introduced in the `algif_aead` encryption module of the kernel. This optimization caused page-cache entries to be incorrectly placed in writable target scatterlists. An attacker can use the `AF_ALG` socket combined with the `splice()` system call to write data to the page cache of any file, including all read-only files owned by the root user. **Attack Chain**: `AF_ALG socket` β†’ `splice()` β†’ page-cache writing primitive β†’ tampering with setuid binary files’ page caches β†’ executing the file to gain root privileges.

**Characteristics of the attack:**

- No race conditions (direct logical flaws)
- No need for kernel debugging features
- No need for specific architecture offsets
- The exploit script is only ~732 bytes in size, effective across all mainstream distributions

---

## Impacted Distributions

### Verified Impacted Distributions

| Distribution    | Affected Kernel Versions                   |
|------------------|-----------------------------------------|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws                           |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023                     |
| RHEL 10.1        | 6.12.0-124.45.1.el10_1                   |
| SUSE 16          | 6.12.0-160000.9-default                   |

The same range of kernels is also affected in distributions like Debian, Arch, Fedora, Rocky, Alma, Oracle, etc. ### Affected Kernel Version Range

All kernel versions below the following repair levels are affected:

| Stable Branch | Minimum Repair Version |
|----------------|------------------------|
| 5.10.x       | β‰₯ 5.10.254              |
| 5.15.x       | β‰₯ 5.15.204              |
| 6.1.x        | β‰₯ 6.1.170               |
| 6.6.x        | β‰₯ 6.6.137               |
| 6.12.x       | β‰₯ 6.12.85               |
| 6.18.x       | β‰₯ 6.18.22               |
| 6.19.x       | β‰₯ 6.19.12               |
| 7.0.x        | β‰₯ 7.0-rc7               |

---

## Troubleshooting Steps

### 1. Check Kernel Version

```bash
uname -r
```

Compare the output with the repair versions listed above. If the version is lower, it indicates an impact. ### 2. Check AF_ALG Connections

```bash
# Check if there are AF_ALG connections currently
lsof | grep AF_ALG

# Check the status of AF_ALG sockets
ss -xa | grep alg
```

### 3. Check Whether the algif_aead Module Is Loaded

```bash
lsmod | grep algif_aead
```

If any output appears, it indicates that the module is loaded, and there is a risk of exploitation. ### 4. Vulnerability Verification (Only in Authorized Testing Environment)

```bash
# Clone the PoC repository
cd copy-fail-CVE-2026-31431

# Run the PoC (requires non-privileged user access)
python3 copy_fail_exp.py
```

If the PoC successfully gains root shell, it indicates that the system has this vulnerability.