## https://sploitus.com/exploit?id=6AD5A914-B820-5648-AF5E-8379DE029A30
# CVE-2026-31431 β Copy Fail (Linux Privilege Escalation)
## Overview
This repository presents a technical overview and demonstration of **CVE-2026-31431**, commonly referred to as *Copy Fail*, a Linux kernel vulnerability that enables local privilege escalation.
The vulnerability affects a wide range of Linux distributions and allows an unprivileged user to obtain root access by exploiting inconsistencies in page cache handling within the kernel.
---
## Disclaimer
This project is intended solely for:
* Educational purposes
* Security research
* Ethical and authorized testing
Unauthorized use of this information on systems without proper permission is strictly prohibited.
---
## Vulnerability Summary
* **CVE ID:** CVE-2026-31431
* **Name:** Copy Fail
* **Type:** Local Privilege Escalation (LPE)
* **Severity:** High
* **Affected Systems:** Multiple Linux distributions, including Ubuntu, RHEL, SUSE, and Amazon Linux
---
## Technical Background
The vulnerability originates in the Linux kernelβs cryptographic subsystem, specifically within the handling of the `authencesn` algorithm.
It permits a local user to modify the **page cache** of files that are otherwise only readable, without altering the corresponding data on disk.
### Key Issue
* The kernel modifies in-memory file representations (page cache)
* The modification is not reflected on disk
* File integrity monitoring tools remain unaware of the change
As a result, a file may appear unchanged when inspected, while executing altered content in memory.
---
## Attack Overview
The exploitation process involves:
1. Gaining access to a low-privileged shell
2. Leveraging kernel interfaces such as `AF_ALG` and `splice()`
3. Injecting controlled data into the page cache of a target file
4. Targeting a privileged executable (e.g., setuid binaries)
5. Executing the modified in-memory version of the file
6. Achieving privilege escalation
---
## Key Concept: Page Cache Manipulation
Linux utilizes a page cache to store file data in memory for performance optimization.
In this vulnerability:
* The attacker alters the cached version of a file
* The disk version remains unchanged
* Execution uses the modified memory version
This discrepancy enables stealthy exploitation and bypasses traditional file integrity checks.
---
## Impact
Successful exploitation may result in:
* Full system compromise
* Unauthorized root access
* Bypass of integrity monitoring solutions
* Increased risk in multi-user and containerized environments
---
## Demonstration
A demonstration video is included in this repository, illustrating:
* The exploitation workflow
* Privilege escalation process
* Resulting system access
---
## Mitigation
### Recommended Actions
* Update the Linux kernel to a patched version
* Apply vendor security updates promptly
### Additional Hardening Measures
* Restrict access to kernel cryptographic interfaces
* Enforce security policies using SELinux or AppArmor
* Implement syscall filtering (e.g., seccomp)
* Monitor for anomalous process behavior
---
## Comparison with Similar Vulnerabilities
| Vulnerability | Type | Characteristics |
| ------------- | ------------------- | -------------------------- |
| Dirty COW | Race condition | Timing-dependent exploit |
| Dirty Pipe | Pipe buffer exploit | Kernel memory overwrite |
| Copy Fail | Logic flaw | Deterministic and reliable |
---
## Repository Structure
```
.
βββ exploit.py
βββ demo_video.webm
βββ README.md
```
---
## References
* Xint Research: https://xint.io/blog/copy-fail-linux-distributions
* The Hacker News: https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
---
## License
This project is released under the MIT License.
---