Share
## https://sploitus.com/exploit?id=7726086A-C6BC-53CF-A3CC-F836CFFC0419
# copyfail โ€” CVE-2026-31431

4-byte page-cache write primitive โ†’ corrupt any setuid binary โ†’ root
fork + exec + auto-restore  portable c poc

![demo](gif/wsl2.gif)

## usage

gcc -o copyfail copy_fail.c -lz
./copyfail
./copyfail /usr/bin/passwd

corrupts the target in kernel page cache, runs it, restores on exit

## how

authencesn(hmac(sha256)cbc(aes)) + AF_ALG + splice()
โ†’ controlled 4-byte write to any readable files page cache
authencesn's scratch write at dst[assoclen+cryptlen] hits page cache
recv() returns EBADMSG but the write stays
shellcode injected 4 bytes at a time into text, fork+exec triggers it

## affected

any linux kernel since 2017 (commit 72548b093ee3)
ubuntu debian rhel amazon linux suse arch fedora wsl2 etc
fixed by a664bf3d603d

## notes

- auto-detects wsl vs mainline kernel and adjusts ALG constants
- EBADMSG from recv is expected, hmac fails, write persists