Share
## https://sploitus.com/exploit?id=6AD5A914-B820-5648-AF5E-8379DE029A30
# CVE-2026-31431 β€” Copy Fail (Linux Privilege Escalation)

## Overview

This repository presents a technical overview and demonstration of **CVE-2026-31431**, commonly referred to as *Copy Fail*, a Linux kernel vulnerability that enables local privilege escalation.

The vulnerability affects a wide range of Linux distributions and allows an unprivileged user to obtain root access by exploiting inconsistencies in page cache handling within the kernel.

---

## Disclaimer

This project is intended solely for:

* Educational purposes
* Security research
* Ethical and authorized testing

Unauthorized use of this information on systems without proper permission is strictly prohibited.

---

## Vulnerability Summary

* **CVE ID:** CVE-2026-31431
* **Name:** Copy Fail
* **Type:** Local Privilege Escalation (LPE)
* **Severity:** High
* **Affected Systems:** Multiple Linux distributions, including Ubuntu, RHEL, SUSE, and Amazon Linux

---

## Technical Background

The vulnerability originates in the Linux kernel’s cryptographic subsystem, specifically within the handling of the `authencesn` algorithm.

It permits a local user to modify the **page cache** of files that are otherwise only readable, without altering the corresponding data on disk.

### Key Issue

* The kernel modifies in-memory file representations (page cache)
* The modification is not reflected on disk
* File integrity monitoring tools remain unaware of the change

As a result, a file may appear unchanged when inspected, while executing altered content in memory.

---

## Attack Overview

The exploitation process involves:

1. Gaining access to a low-privileged shell
2. Leveraging kernel interfaces such as `AF_ALG` and `splice()`
3. Injecting controlled data into the page cache of a target file
4. Targeting a privileged executable (e.g., setuid binaries)
5. Executing the modified in-memory version of the file
6. Achieving privilege escalation

---

## Key Concept: Page Cache Manipulation

Linux utilizes a page cache to store file data in memory for performance optimization.

In this vulnerability:

* The attacker alters the cached version of a file
* The disk version remains unchanged
* Execution uses the modified memory version

This discrepancy enables stealthy exploitation and bypasses traditional file integrity checks.

---

## Impact

Successful exploitation may result in:

* Full system compromise
* Unauthorized root access
* Bypass of integrity monitoring solutions
* Increased risk in multi-user and containerized environments

---

## Demonstration

A demonstration video is included in this repository, illustrating:

* The exploitation workflow
* Privilege escalation process
* Resulting system access

---

## Mitigation

### Recommended Actions

* Update the Linux kernel to a patched version
* Apply vendor security updates promptly

### Additional Hardening Measures

* Restrict access to kernel cryptographic interfaces
* Enforce security policies using SELinux or AppArmor
* Implement syscall filtering (e.g., seccomp)
* Monitor for anomalous process behavior

---

## Comparison with Similar Vulnerabilities

| Vulnerability | Type                | Characteristics            |
| ------------- | ------------------- | -------------------------- |
| Dirty COW     | Race condition      | Timing-dependent exploit   |
| Dirty Pipe    | Pipe buffer exploit | Kernel memory overwrite    |
| Copy Fail     | Logic flaw          | Deterministic and reliable |

---

## Repository Structure

```
.
β”œβ”€β”€ exploit.py
β”œβ”€β”€ demo_video.webm
└── README.md
```

---

## References

* Xint Research: https://xint.io/blog/copy-fail-linux-distributions
* The Hacker News: https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html

---

## License

This project is released under the MIT License.

---