## https://sploitus.com/exploit?id=397A050B-A400-5667-923D-81D4E3E07E25
# CopyFail-Fix
🌐 **English** | [Português](README.pt-BR.md) | [Español](README.es.md) | [中文](README.zh.md) | [Íslenska](README.is.md)
One-command mitigation and patch for [CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431) — the Linux kernel "Copy Fail" local privilege escalation vulnerability. The script disables the affected `algif_aead` module, upgrades your kernel via `apt`, and (optionally) installs a `systemd` timer to keep the system up to date.
Designed for **Ubuntu servers** (also compatible with Debian-based systems).
> **⚠️ Review the script before running.** This is a security tool that runs as root. Read [`copyfail.sh`](copyfail.sh) before piping it to `sudo`. Always prefer your distribution's official kernel update process when possible.
## Why?
CVE-2026-31431 ("Copy Fail") is a logic flaw in the kernel's `algif_aead` (AEAD socket interface of the userspace crypto API). A local unprivileged user can trigger a deterministic 4-byte write into the page cache of any readable file — including setuid binaries — and gain root access in seconds. The flaw was introduced in 2017 (commit `72548b093ee3`) and affects every kernel built between 2017 and the fix. This script disables the vulnerable module while you apply your distribution's kernel patch.
## Requirements
- **Ubuntu 20.04+** (or Debian-based system)
- `apt-get` and `awk` available
- Root privileges (`sudo`)
## Quick Start
```bash
wget -O copyfail.sh https://raw.githubusercontent.com/paulorlima9/copyfail-fix/main/copyfail.sh
chmod +x copyfail.sh
sudo ./copyfail.sh
```
On first run, the script will:
1. Write `/etc/modprobe.d/disable-algif.conf` to blacklist the `algif_aead` module
2. Unload `algif_aead` if currently loaded
3. Run `apt-get update && apt-get upgrade -y` to pull the patched kernel
4. Ask if you want to enable **Supervision** (automatic daily updates)
A reboot is required after the upgrade to load the new kernel.
## Usage
```
sudo ./copyfail.sh [options]
```
| Option | Short | Description |
|---|---|---|
| `--help` | `-h` | Show help message |
| `--mitigate` | `-m` | Apply mitigation only (disable `algif_aead` module) |
| `--upgrade` | `-u` | Upgrade kernel/packages only (`apt-get upgrade`) |
| `--check` | `-c` | Show current status (kernel version, module, mitigation) |
| `--revert` | `-r` | Revert mitigation (after kernel is patched and rebooted) |
| `--supervision` | `-s` | Enable automatic daily updates via systemd timer |
## Examples
**Full fix** — apply mitigation and upgrade kernel:
```bash
sudo ./copyfail.sh
```
**Check status only**:
```bash
sudo ./copyfail.sh --check
```
**Mitigation only** (no kernel upgrade):
```bash
sudo ./copyfail.sh --mitigate
```
**Revert mitigation** after confirming the kernel is patched and rebooted:
```bash
sudo ./copyfail.sh --revert
```
**Enable daily auto-update** (Supervision):
```bash
sudo ./copyfail.sh --supervision
```
## Supervision
The Supervision feature installs a **systemd timer** that runs `apt-get upgrade` once every 24 hours, ensuring kernel patches are picked up as soon as your distribution publishes them.
When enabled, two systemd units are created:
- `copyfail-fix-supervision.service` — oneshot service that executes the script with `--upgrade`
- `copyfail-fix-supervision.timer` — timer that triggers the service daily (and 5 minutes after boot)
### Managing the timer
```bash
# Check timer status
systemctl status copyfail-fix-supervision.timer
# View next scheduled run
systemctl list-timers copyfail-fix-supervision.timer
# Disable auto-updates
sudo systemctl stop copyfail-fix-supervision.timer
sudo systemctl disable copyfail-fix-supervision.timer
# Manually trigger an update
sudo systemctl start copyfail-fix-supervision.service
```
## How It Works
1. Writes `install algif_aead /bin/false` to `/etc/modprobe.d/disable-algif.conf` so the module cannot be loaded on next boot
2. Calls `rmmod algif_aead` to unload it from the running kernel (skipped if the module is in use — reboot required)
3. Runs `apt-get update` followed by a non-interactive `apt-get upgrade` to install the latest kernel package
4. With `--check`, inspects `uname -r`, `lsmod`, the modprobe file, and the latest installed `linux-image-*` package
5. With `--revert`, deletes the modprobe file and reloads the module via `modprobe`
## Output Legend
During execution, the script displays progress indicators:
- **`+`** (green) — action applied
- **`-`** (red) — action reverted
- **`.`** (gray) — action skipped (already applied or not applicable)
- **`!`** (yellow) — warning (e.g. reboot required)
## CVE Reference
- [Ubuntu Security Notice — CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431)
- [Red Hat — RHSB-2026-002 Copy Fail](https://access.redhat.com/security/vulnerabilities/RHSB-2026-002)
- [CERT-EU 2026-005](https://cert.europa.eu/publications/security-advisories/2026-005/)
## License
MIT