Share
## https://sploitus.com/exploit?id=397A050B-A400-5667-923D-81D4E3E07E25
# CopyFail-Fix

🌐 **English** | [Português](README.pt-BR.md) | [Español](README.es.md) | [中文](README.zh.md) | [Íslenska](README.is.md)

One-command mitigation and patch for [CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431) — the Linux kernel "Copy Fail" local privilege escalation vulnerability. The script disables the affected `algif_aead` module, upgrades your kernel via `apt`, and (optionally) installs a `systemd` timer to keep the system up to date.

Designed for **Ubuntu servers** (also compatible with Debian-based systems).

> **⚠️ Review the script before running.** This is a security tool that runs as root. Read [`copyfail.sh`](copyfail.sh) before piping it to `sudo`. Always prefer your distribution's official kernel update process when possible.

## Why?

CVE-2026-31431 ("Copy Fail") is a logic flaw in the kernel's `algif_aead` (AEAD socket interface of the userspace crypto API). A local unprivileged user can trigger a deterministic 4-byte write into the page cache of any readable file — including setuid binaries — and gain root access in seconds. The flaw was introduced in 2017 (commit `72548b093ee3`) and affects every kernel built between 2017 and the fix. This script disables the vulnerable module while you apply your distribution's kernel patch.

## Requirements

- **Ubuntu 20.04+** (or Debian-based system)
- `apt-get` and `awk` available
- Root privileges (`sudo`)

## Quick Start

```bash
wget -O copyfail.sh https://raw.githubusercontent.com/paulorlima9/copyfail-fix/main/copyfail.sh
chmod +x copyfail.sh
sudo ./copyfail.sh
```

On first run, the script will:

1. Write `/etc/modprobe.d/disable-algif.conf` to blacklist the `algif_aead` module
2. Unload `algif_aead` if currently loaded
3. Run `apt-get update && apt-get upgrade -y` to pull the patched kernel
4. Ask if you want to enable **Supervision** (automatic daily updates)

A reboot is required after the upgrade to load the new kernel.

## Usage

```
sudo ./copyfail.sh [options]
```

| Option | Short | Description |
|---|---|---|
| `--help` | `-h` | Show help message |
| `--mitigate` | `-m` | Apply mitigation only (disable `algif_aead` module) |
| `--upgrade` | `-u` | Upgrade kernel/packages only (`apt-get upgrade`) |
| `--check` | `-c` | Show current status (kernel version, module, mitigation) |
| `--revert` | `-r` | Revert mitigation (after kernel is patched and rebooted) |
| `--supervision` | `-s` | Enable automatic daily updates via systemd timer |

## Examples

**Full fix** — apply mitigation and upgrade kernel:

```bash
sudo ./copyfail.sh
```

**Check status only**:

```bash
sudo ./copyfail.sh --check
```

**Mitigation only** (no kernel upgrade):

```bash
sudo ./copyfail.sh --mitigate
```

**Revert mitigation** after confirming the kernel is patched and rebooted:

```bash
sudo ./copyfail.sh --revert
```

**Enable daily auto-update** (Supervision):

```bash
sudo ./copyfail.sh --supervision
```

## Supervision

The Supervision feature installs a **systemd timer** that runs `apt-get upgrade` once every 24 hours, ensuring kernel patches are picked up as soon as your distribution publishes them.

When enabled, two systemd units are created:

- `copyfail-fix-supervision.service` — oneshot service that executes the script with `--upgrade`
- `copyfail-fix-supervision.timer` — timer that triggers the service daily (and 5 minutes after boot)

### Managing the timer

```bash
# Check timer status
systemctl status copyfail-fix-supervision.timer

# View next scheduled run
systemctl list-timers copyfail-fix-supervision.timer

# Disable auto-updates
sudo systemctl stop copyfail-fix-supervision.timer
sudo systemctl disable copyfail-fix-supervision.timer

# Manually trigger an update
sudo systemctl start copyfail-fix-supervision.service
```

## How It Works

1. Writes `install algif_aead /bin/false` to `/etc/modprobe.d/disable-algif.conf` so the module cannot be loaded on next boot
2. Calls `rmmod algif_aead` to unload it from the running kernel (skipped if the module is in use — reboot required)
3. Runs `apt-get update` followed by a non-interactive `apt-get upgrade` to install the latest kernel package
4. With `--check`, inspects `uname -r`, `lsmod`, the modprobe file, and the latest installed `linux-image-*` package
5. With `--revert`, deletes the modprobe file and reloads the module via `modprobe`

## Output Legend

During execution, the script displays progress indicators:

- **`+`** (green) — action applied
- **`-`** (red) — action reverted
- **`.`** (gray) — action skipped (already applied or not applicable)
- **`!`** (yellow) — warning (e.g. reboot required)

## CVE Reference

- [Ubuntu Security Notice — CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431)
- [Red Hat — RHSB-2026-002 Copy Fail](https://access.redhat.com/security/vulnerabilities/RHSB-2026-002)
- [CERT-EU 2026-005](https://cert.europa.eu/publications/security-advisories/2026-005/)

## License

MIT