Share
## https://sploitus.com/exploit?id=5C708DEB-BC1C-5ACB-933E-A9316543EB2A
# copy-fail-fix

Per-distro mitigation scripts for [CVE-2026-31431 ("Copy Fail")](https://ubuntu.com/security/CVE-2026-31431) โ€” a Linux kernel `algif_aead` local privilege escalation that affects essentially every distro shipped since 2017.

Each script either installs a patched kernel from your distribution's repos (when one is available) or, if not, blacklists the vulnerable `algif_aead` kernel module so the exploit path is closed until you can reboot onto a fixed kernel.

## TL;DR

Pick the script for your distro, audit it, run it as root.

```bash
# Ubuntu
sudo bash scripts/ubuntu.sh

# Debian
sudo bash scripts/debian.sh

# RHEL / Rocky / AlmaLinux / CentOS Stream
sudo bash scripts/rhel.sh

# Fedora
sudo bash scripts/fedora.sh

# Arch
sudo bash scripts/arch.sh

# openSUSE Leap / Tumbleweed
sudo bash scripts/opensuse.sh

# Alpine
sudo bash scripts/alpine.sh

# Anything else (Gentoo, NixOS, immutable distros, ...)
sudo bash scripts/universal.sh
```

Use `--check` first if you want a preview that changes nothing.

## What each script does

Per-distro scripts run this algorithm; `universal.sh` skips steps 4โ€“5.

1. **Sudo up.** Re-execs under `sudo` if not already root.
2. **Confirm the distro.** Refuses to run on a mismatched host unless `--force`.
3. **Read `uname -r`.**
4. **Already patched?** If `PATCHED_KERNEL_VERSION` is recorded for your distro and your running kernel is at or above it, the script removes any leftover mitigation file and exits.
5. **Patch available?** Asks your package manager. If a candidate kernel โ‰ฅ the patched version is available, prompts you (`--yes` to skip) to install it. After install, you reboot manually.
6. **Mitigate.** If no patched kernel is available yet (or you declined), writes `/etc/modprobe.d/cve-2026-31431.conf` with `blacklist algif_aead` and `install algif_aead /bin/true`, then verifies via an `AF_ALG` socket-bind probe that the exploit path is closed.

## Patch status

`PATCHED_KERNEL_VERSION = PENDING` means the maintainers haven't yet recorded a fixed kernel version for that distro. Each row updates via a one-line PR.

| Distro | Kernel package | Patched version | Last checked |
|---|---|---|---|
| Ubuntu (24.04) | `linux-image-generic` | PENDING | 2026-05-01 |
| Debian | `linux-image-amd64` | PENDING | 2026-05-01 |
| RHEL / Rocky / Alma | `kernel` | PENDING | 2026-05-01 |
| Fedora | `kernel` | PENDING | 2026-05-01 |
| Arch | `linux` | PENDING | 2026-05-01 |
| openSUSE | `kernel-default` | PENDING | 2026-05-01 |
| Alpine | `linux-lts` | PENDING | 2026-05-01 |

## Flags

| Flag | Meaning |
|---|---|
| `-y`, `--yes` | Non-interactive; skip the kernel-install prompt. |
| `--force` | Bypass the distro-mismatch check. |
| `--check` | Read-only preview; print what would happen, change nothing. |
| `--undo` | Remove `/etc/modprobe.d/cve-2026-31431.conf`. Use after a patched kernel is installed. |
| `-h`, `--help` | Usage info. |

## Verifying the mitigation manually

The scripts run this probe automatically. To check yourself:

```bash
python3 - .sh --undo
```

## Contributing

When your distro publishes a fixed kernel:

1. Edit one line in `scripts/.sh` โ€” set `PATCHED_KERNEL_VERSION` to the fixed package version (in the format `dpkg-query -W` / `rpm -q VERSION-RELEASE` / `pacman -Q` returns).
2. Update the corresponding row in this README's patch-status table.
3. Open a PR titled `: fix shipped in `.

## Disclaimer

Security mitigation tooling. Audit any script you find on the internet before piping it into `sudo bash`. The maintainers accept no liability under the MIT license.

## License

[MIT](LICENSE).