Share
## https://sploitus.com/exploit?id=6058BC55-40E6-5884-A7CA-A819DB7DEF26
# copyfail-check

> Shell scripts to detect Linux kernel vulnerabilities, check mitigation status, and guide remediation โ€” designed to run locally or across fleets via SSH, Ansible, or pssh.

---

## CVE-2026-31431 โ€” Copy Fail

**Copy Fail** is a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel's `algif_aead` cryptographic module. A logic flaw introduced in 2017 allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file โ€” enough to overwrite a setuid binary and obtain root. A working 732-byte Python proof-of-concept exists and is publicly available.

| | |
|---|---|
| **CVE** | CVE-2026-31431 |
| **CVSS** | 7.8 (High) |
| **Disclosed** | April 29, 2026 |
| **Affected** | Linux kernels 4.13 โ€“ 6.x (2017โ€“2026) |
| **Distributions** | Ubuntu, RHEL, SUSE, Debian, Amazon Linux, and most others |
| **Remotely exploitable** | No โ€” local access required |
| **Patch available** | Partial โ€” check your distro's advisories |

### What the script checks

- **Kernel version** โ€” whether you're in the affected range (โ‰ฅ 4.13)
- **`algif_aead` module** โ€” loaded, present on disk, or blacklisted
- **Boot parameters** โ€” `initcall_blacklist=algif_aead_init` presence
- **AF_ALG socket reachability** โ€” whether the exploit path is open to the current user
- **SELinux / AppArmor** โ€” MAC layer presence (partial mitigation only)
- **Distro patch status** โ€” CVE listed in kernel changelog

### Quick run (single server)

```bash
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bash
```

> **Tip:** Pin to a specific commit SHA in production so the script cannot change under you:
> ```bash
> curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/COMMIT_SHA/check_copyfail.sh | sudo bash
> ```

### Download and inspect first (recommended)

```bash
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh -o check_copyfail.sh
less check_copyfail.sh
sudo bash check_copyfail.sh
```

### Run across a fleet

**SSH loop**
```bash
for HOST in server1 server2 server3; do
  echo "=== $HOST ==="
  ssh "$HOST" "curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bash"
done
```

**Ansible**
```yaml
- name: Check Copy Fail vulnerability
  hosts: all
  tasks:
    - name: Run check script
      script: check_copyfail.sh
      become: yes
```

**Parallel SSH**
```bash
pssh -h hosts.txt -i \
  "curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bash"
```

### Example output

```
============================================================
  Copy Fail CVE-2026-31431 โ€“ Vulnerability Check
============================================================

>>> Kernel Version
  [INFO]  Running kernel: 5.15.0-107-generic
  [WARN]  Kernel 5.15.0-107-generic is in the affected range (4.13 โ€“ 6.x).

>>> algif_aead Module Status
  [WARN]  algif_aead module is currently LOADED โ€” system is exploitable.
  [WARN]  Module file found at: /lib/modules/5.15.0-107-generic/kernel/crypto/algif_aead.ko
  [WARN]  algif_aead is NOT blacklisted โ€” it can be loaded on demand.

>>> Kernel Boot Parameter Mitigation
  [WARN]  initcall_blacklist=algif_aead_init is NOT set in boot parameters.

>>> AF_ALG Socket Reachability
  [WARN]  AF_ALG sockets are reachable by this user โ€” exploit path is open.

>>> Mandatory Access Control (SELinux / AppArmor)
  [WARN]  Neither SELinux nor AppArmor tools detected โ€” no MAC layer present.

>>> Distribution Patch Status
  [WARN]  Could not confirm CVE-2026-31431 is listed as fixed in running kernel's changelog.

============================================================
  SUMMARY
============================================================
  !! LIKELY VULNERABLE โ€” No confirmed mitigation detected.

  Recommended actions (in order of preference):
  1. Apply your distro's kernel update as soon as available.
  2. Add to /etc/modprobe.d/copyfail.conf:
       blacklist algif_aead
       install algif_aead /bin/true
     Then run: sudo depmod -a && sudo update-initramfs -u
  3. Add to kernel boot parameters (grub):
       initcall_blacklist=algif_aead_init
  4. Immediately unload the module if loaded:
       sudo rmmod algif_aead
============================================================
```

### Mitigations

Apply these in order of preference:

**1. Patch your kernel** *(best fix)*
```bash
# Debian / Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)

# RHEL / CentOS / Amazon Linux
sudo yum update kernel

# SUSE
sudo zypper update kernel-default
```

**2. Blacklist the module** *(immediate, persistent)*
```bash
echo -e "blacklist algif_aead\ninstall algif_aead /bin/true" | sudo tee /etc/modprobe.d/copyfail.conf
sudo depmod -a

# Debian/Ubuntu
sudo update-initramfs -u

# RHEL/Fedora
sudo dracut -f
```

**3. Unload the module now** *(immediate, not persistent across reboots)*
```bash
sudo rmmod algif_aead
```

**4. Kernel boot parameter** *(alternative to blacklist)*

Add `initcall_blacklist=algif_aead_init` to your GRUB config and reboot.

---

## References

- [copy.fail](https://copy.fail/) โ€” official vulnerability page
- [Xint/Theori writeup](https://xint.io/blog/copy-fail-linux-distributions)
- [NVD โ€” CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [CERT-EU Advisory 2026-005](https://cert.europa.eu/publications/security-advisories/2026-005/)
- [Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/)
- [The Hacker News](https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html)

## License

MIT โ€” use freely, no warranty implied. Always review scripts before running them as root.