## https://sploitus.com/exploit?id=88A795B5-0F6F-5501-801E-17F10D38884B
# CopyFail (CVE-2026-31431)
## Overview
**CopyFail** is a proof-of-concept exploit for CVE-2026-31431, targeting a memory corruption vulnerability in the Linux Kernel Crypto API (`AF_ALG`). The exploit leverages the `splice` system call to perform unauthorized page-cache patching of the `/usr/bin/su` binary, enabling a password-less escalation to root.
## Technical Analysis
### Root Cause
The vulnerability resides in the Linux kernel's handling of zero-copy data transfers between `AF_ALG` sockets and other file descriptors via `splice`. Due to improper synchronization or bounds checking in the `aead` implementation, data processed by the crypto engine can be written back into the source file's page cache.
### Exploit Methodology
1. **Memory Corruption Trigger**: The exploit initializes an `AF_ALG` socket and uses `sendmsg` to queue a malicious payload in the socket's internal buffers.
2. **Page-Cache Injection**: By invoking `splice` to transfer data from the `/usr/bin/su` binary into the `AF_ALG` socket, the vulnerability causes the socket's buffer contents to overwrite the binary's page cache in memory.
3. **Authentication Bypass**: The exploit replaces the authentication logic of `su` with a minimal ELF payload that spawns a root shell. Since the page cache is modified, subsequent executions of `su` run the attacker's code instead of the original binary.
## Features
- **Zero Dependencies**: Pure Go implementation using `RawSyscall` for all kernel interactions.
- **Page-Cache Patching**: Direct manipulation of the kernel's file cache via `AF_ALG`/`splice` interaction.
- **Minimal Footprint**: Optimized binary size with no standard library overhead (no `fmt` or `os` packages).
## Installation & Usage
### Build
Compile the exploit for the current architecture:
```bash
go build -ldflags="-s -w" -o CopyFail CVE-2026-31431.go
```
### Execution
Run the compiled binary:
```bash
./CopyFail
```
Upon successful execution, the `su` binary will be patched in memory and executed, granting a root shell.
## Proof of Concept (Kali Linux)
The following demonstration shows the exploit being compiled and executed on a standard Kali Linux installation.
```bash
# 1. Verify current unprivileged user
kali@kali:~$ whoami
kali
# 2. Compile the exploit
kali@kali:~$ go build -ldflags="-s -w" -o CopyFail CVE-2026-31431.go
# 3. Execute the CopyFail exploit
kali@kali:~$ ./CopyFail
[+] Triggering AF_ALG memory corruption...
[+] Patching /usr/bin/su in page-cache...
[+] Executing patched binary...
# 4. Success: Elevated to root shell
root@kali:/home/kali# id
uid=0(root) gid=0(root) groups=0(root)
root@kali:/home/kali# whoami
root
```
## Remediation
To mitigate this vulnerability, the following steps are recommended:
1. **Kernel Update**: Upgrade to a Linux kernel version that includes the fix for CVE-2026-31431.
2. **Disable AF_ALG**: If the Socket-based Crypto API is not required, disable the `af_alg` and related modules:
```bash
modprobe -r af_alg
```
3. **Monitor Splice**: Utilize security auditing tools (like `auditd`) to monitor for suspicious `splice` calls targeting sensitive system binaries.
## Security Considerations
โ ๏ธ **Warning**: This tool is for **authorized security research and educational purposes only**. Patching the page cache is a volatile operation and may cause system instability. The author assumes no liability for misuse.
## Credits
CVE-2026-31431 ("Copy Fail") was discovered and disclosed by the research team at **[Theori](https://xint.io/blog/copy-fail-linux-distributions)**.
## License
This project is licensed under the MIT [LICENSE](LICENSE).