## https://sploitus.com/exploit?id=7CD0E212-4B9C-53BC-ABEE-28D11C7D9167
# CVE-2026-31431
## WARNING
These PoCs are **runtime-destructive**.
They overwrite the live **page-cache view** of privileged targets such as:
- `su`
- PAM configuration files
- any file passed into `patch` mode
This is usually not a normal persistent on-disk edit, but it **does change runtime behavior** and can affect authentication / privilege flow immediately.
This repository does **not** provide a fully non-destructive **root** mode.
---
## Files
- `copyfail_raw_su_root.c`
- `copyfail_portable_lpe.c`
Both are **Linux-only**.
---
## Default behavior
For `copyfail_portable_lpe.c`, running:
```bash
./copyfail_portable_lpe
```
uses **`auto-revert` by default**.
That means it will try the **recoverable workflow first**:
1. patch the target
2. gain root
3. attempt to revert the patched target
4. then hand off to a root shell
If recoverable mode fails, the program prints fallback mode hints.
---
## copyfail_raw_su_root.c
Minimal raw variant:
- directly patches `su`
- immediately executes the target `su`
- minimal logic
### Architecture
- **x86_64 Linux only**
### Build
```bash
gcc -O2 -s copyfail_raw_su_root.c -o copyfail_raw_su_root
```
### Run
```bash
./copyfail_raw_su_root
```
---
## copyfail_portable_lpe.c
General variant with multiple modes.
### Modes
#### auto
Explicit non-reverting mode:
```bash
./copyfail_portable_lpe auto
```
#### auto-revert
Recoverable-first mode:
```bash
./copyfail_portable_lpe
./copyfail_portable_lpe auto-revert
```
#### helper
Drop a SUID bash helper without revert:
```bash
./copyfail_portable_lpe helper ./.rootsh
```
#### helper-revert
Drop a helper, then attempt to restore patched targets:
```bash
./copyfail_portable_lpe helper-revert ./.rootsh
```
#### patch
Same-length string replacement on a chosen file:
```bash
./copyfail_portable_lpe patch
```
#### raw-su-elf
Raw `su` patch path:
```bash
./copyfail_portable_lpe raw-su-elf
```
### Recoverable logic
`auto-revert` and `helper-revert` are still **destructive during exploitation**.
They are only "recoverable" in the sense that they:
1. patch the live runtime target
2. use the patched state to obtain root
3. attempt to restore the patched target before handing off control
So this is **destructive-then-revert**, not truly non-destructive.
### Architecture
- `auto` / `auto-revert` / `helper` / `helper-revert` / `patch`: Linux-oriented, less tightly coupled to CPU architecture when compiled on-target
- `raw-su-elf`: **x86_64 Linux only**
### Build
```bash
gcc -O2 -s copyfail_portable_lpe.c -o copyfail_portable_lpe
```