Share
## https://sploitus.com/exploit?id=7690416B-143E-53EE-AC16-FCD6D6CE5ECA
# CVE-2026-31431 โ€” Copy Fail

**Linux kernel local privilege escalation via AF\_ALG + splice page-cache overwrite**

[![CVE](https://img.shields.io/badge/CVE-2026--31431-red)](https://vulners.com/cve/CVE-2026-31431)
[![CVSS](https://img.shields.io/badge/CVSS%20v3.1-7.8%20High-orange)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-31431&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=kernel.org)
[![License](https://img.shields.io/badge/license-GPLv3%2B-blue)](LICENSE)

> **For authorized security research, penetration testing, and educational purposes only.**
> Do not use against systems you do not own or have explicit written permission to test.

[Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions)

---

## Table of Contents

- [Description](#description)
- [Vulnerability Details](#vulnerability-details)
- [Repository Structure](#repository-structure)
- [Quick Start](#quick-start)
- [Detection](#detection)
- [Requirements](#requirements)
- [Mitigation](#mitigation)
- [Test Environment (optional)](#test-environment-optional)
- [References](#references)
- [License](#license)

---

## Description

CVE-2026-31431 is a local privilege escalation (LPE) vulnerability in the Linux kernel. An
unprivileged local user can gain root access by combining the `AF_ALG` socket interface with
`splice()` to perform an authenticated write directly into a page-cache page belonging to a
setuid binary.

The exploit overwrites the `su` binary in the page cache without modifying the on-disk inode,
bypassing integrity mechanisms that rely solely on file metadata or block-level checksums.

---

## Vulnerability Details

| Field             | Value                                                                                                                                                                     |
|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CVE ID            | CVE-2026-31431                                                                                                                                                            |
| Type              | Local Privilege Escalation (LPE)                                                                                                                                          |
| CVSS v3.1 Score   | **7.8 High** โ€” `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` (source: kernel.org)                                                                                                 |
| Kernel subsystems | `crypto/af_alg.c`, `mm/splice.c`                                                                                                                                          |
| Attack vector     | Local โ€” unprivileged user account required                                                                                                                                |
| Root cause        | `algif_aead` accepts `sendfile()` over an AEAD socket without enforcing copy-on-write semantics on the mapped page-cache page prior to `splice()` completing the transfer |

### Affected Environments

| Distro                 | Kernel version          | Arch    |
|------------------------|-------------------------|---------|
| Ubuntu 24.04 LTS       | 6.17.0-1007-aws         | x86\_64 |
| Amazon Linux 2023      | 6.18.8-9.213.amzn2023   | x86\_64 |
| RHEL 10.1              | 6.12.0-124.45.1.el10_1  | x86\_64 |
| SUSE 16                | 6.12.0-160000.9-default | x86\_64 |
| Raspberry Pi OS (Pi 5) | 6.12.75+rpt-rpi-2712    | aarch64 |

---

## Repository Structure

```console
.
โ”œโ”€โ”€ exploit.py    # PoC โ€” page-cache overwrite and privilege escalation
โ”œโ”€โ”€ detect.bt     # BPFtrace script for real-time detection
โ”œโ”€โ”€ run-vm.sh     # QEMU test environment automation (optional)
โ”œโ”€โ”€ PAYLOAD.md    # Payload encoding analysis (hex โ†’ zlib โ†’ ELF โ†’ shellcode)
โ””โ”€โ”€ LICENSE
```

---

## Quick Start

Run `exploit.py` as an **unprivileged** local user on any vulnerable system โ€” no `sudo` needed:

```bash
python3 exploit.py
```

The script performs the following steps:

1. Verifies kernel support for `AF_ALG` (`algif_aead`) and locates the `su` binary.
2. Selects and decompresses the architecture-appropriate payload.
3. Opens the `su` binary as a raw file descriptor and overwrites its page-cache pages via
   `AF_ALG` + `sendfile`.
4. Tests privilege escalation. If successful, drops into a root shell.

**Supported architectures:**

| Architecture | Variants               |
|--------------|------------------------|
| x86\_64      | โ€”                      |
| aarch64      | โ€”                      |
| riscv64      | โ€”                      |
| ppc64le      | โ€”                      |
| arm          | armv5l, armv6l, armv7l |
| x86 32-bit   | i386, i486, i586, i686 |
| MIPS 64-bit  | mips64, mips64el       |
| LoongArch    | loong64, loongarch64   |
| s390x        | โ€”                      |

---

## Detection

Monitor for exploitation attempts in real time with `detect.bt`. Requires root:

```bash
sudo bpftrace detect.bt
# or
doas bpftrace detect.bt
```

The script tracks three indicators per PID using a bitmask in `@suspect[pid]`:

| Bit   | Syscall                          | Indicator                      |
|-------|----------------------------------|--------------------------------|
| `0x1` | `socket(AF_ALG, SOCK_SEQPACKET)` | AF_ALG socket created          |
| `0x2` | `setsockopt(SOL_ALG, ...)`       | Crypto operation configured    |
| `0x4` | `sendmsg(MSG_MORE)` + `splice()` | Page-cache overwrite attempted |

An alert fires when all three bits are set (`@suspect[pid] == 0x7`) on the same PID.

---

## Requirements

### `exploit.py`

- Python 3.6+
- Linux kernel with `AF_ALG`/`algif_aead` module loaded
- Local unprivileged user account (root is **not** required)

### `detect.bt`

- `bpftrace` โ‰ฅ 0.12
- Root privileges (required for BPF tracing)

```bash
# Ubuntu/Debian
sudo apt install bpftrace

# RHEL/CentOS/Fedora
sudo dnf install bpftrace

# Amazon Linux
sudo yum install bpftrace

# SUSE
sudo zypper install bpftrace

# Alpine
sudo apk add bpftrace
```

---

## Mitigation

### 1. Patch (preferred)

Update your distribution's kernel package to one that includes mainline commit
[`a664bf3d603d`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d),
which reverts the 2017 `algif_aead` in-place optimization so that page-cache pages can no
longer end up in the writable destination scatterlist. Most major distributions are shipping
the fix now.

### 2. Disable `algif_aead` (while waiting for a patch)

`blacklist` can be bypassed with an explicit `modprobe algif_aead`. The `install .../bin/false`
directive overrides the install command entirely, making every load attempt fail:

```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```

#### What this breaks โ€” almost nothing

| Affected? | Subsystem/Use case                                                                        |
|-----------|-------------------------------------------------------------------------------------------|
| **No**    | dm-crypt/LUKS, kTLS, IPsec/XFRM, in-kernel TLS                                            |
| **No**    | OpenSSL, GnuTLS, NSS default builds                                                       |
| **No**    | SSH, kernel keyring crypto                                                                |
| **Maybe** | OpenSSL with the `afalg` engine explicitly enabled                                        |
| **Maybe** | Embedded crypto offload paths or apps that bind `aead`/`skcipher`/`hash` sockets directly |

The subsystems in the "No" row use the in-kernel crypto API directly โ€” they never go through
`AF_ALG`. Performance falls back to normal userspace crypto libraries, which is what almost
everything else already uses.

To check whether anything on your system actively uses `AF_ALG` before disabling it:

```bash
lsof | grep AF_ALG
ss -xa | grep alg
```

### 3. Block via seccomp (containers, sandboxes, CI)

Deny `socket(AF_ALG, ...)` creation for untrusted workloads regardless of patch state. Add
`AF_ALG` (family 38) to your seccomp deny-list, or use an AppArmor/SELinux policy that
restricts `socket` calls for unprivileged processes.

### 4. Monitor with `detect.bt`

Deploy the included detection script on any host that cannot be patched or locked down
immediately. It will alert on any process that executes the full three-step exploit primitive.

---

## Test Environment (optional)

`run-vm.sh` automates the creation of an Ubuntu 24.04 QEMU VM for testing in a controlled
environment. `exploit.py` and `detect.bt` run directly on any vulnerable host โ€” QEMU is
not required.

### Host Requirements

| Dependency                 | Notes                                                             |
|----------------------------|-------------------------------------------------------------------|
| `qemu-system-x86_64` + KVM | See install commands below                                        |
| `wget` or `curl`           | Cloud image download                                              |
| `cloud-image-utils`        | Seed image generation (Docker can substitute on non-Debian hosts) |

### Install QEMU

```bash
# Ubuntu/Debian
sudo apt install qemu-system-x86 cloud-image-utils wget

# Fedora/RHEL
sudo dnf install qemu-system-x86 wget

# Arch
sudo pacman -Sy qemu

# Alpine
sudo apk add qemu-system-x86 qemu-ui-gtk wget
```

### Run

```bash
sh run-vm.sh
```

### Interactive Menu

```console
1. Start/Create VM
2. Connect via SSH
3. Upload files to VM  (exploit.py, detect.bt)
4. Run exploit inside VM
5. Run detect.bt inside VM
6. Check VM status
7. Stop VM
8. Clean up VM files
0. Exit
```

### VM Credentials

| Field    | Value    |
|----------|----------|
| User     | `ubuntu` |
| Password | `cve123` |
| SSH port | `2222`   |

---

## References

- [Technical Writeup โ€” xint.io](https://xint.io/blog/copy-fail-linux-distributions)
- [Payload Encoding Analysis](PAYLOAD.md) โ€” hex โ†’ zlib โ†’ ELF โ†’ shellcode breakdown
- [`crypto/af_alg.c` โ€” kernel source](https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c)
- [`mm/splice.c` โ€” kernel source](https://elixir.bootlin.com/linux/latest/source/mm/splice.c)

---

## License

This project is licensed under the **GNU General Public License v3.0 or later**.
See [LICENSE](LICENSE) for the full text.

> **Disclaimer:** This repository is provided for authorized security research, penetration
> testing, and educational purposes only. The authors accept no liability for any misuse or
> damage caused by this software.