Share
## https://sploitus.com/exploit?id=88A795B5-0F6F-5501-801E-17F10D38884B
# CopyFail (CVE-2026-31431)

## Overview
**CopyFail** is a proof-of-concept exploit for CVE-2026-31431, targeting a memory corruption vulnerability in the Linux Kernel Crypto API (`AF_ALG`). The exploit leverages the `splice` system call to perform unauthorized page-cache patching of the `/usr/bin/su` binary, enabling a password-less escalation to root.

## Technical Analysis

### Root Cause
The vulnerability resides in the Linux kernel's handling of zero-copy data transfers between `AF_ALG` sockets and other file descriptors via `splice`. Due to improper synchronization or bounds checking in the `aead` implementation, data processed by the crypto engine can be written back into the source file's page cache.

### Exploit Methodology
1.  **Memory Corruption Trigger**: The exploit initializes an `AF_ALG` socket and uses `sendmsg` to queue a malicious payload in the socket's internal buffers.
2.  **Page-Cache Injection**: By invoking `splice` to transfer data from the `/usr/bin/su` binary into the `AF_ALG` socket, the vulnerability causes the socket's buffer contents to overwrite the binary's page cache in memory.
3.  **Authentication Bypass**: The exploit replaces the authentication logic of `su` with a minimal ELF payload that spawns a root shell. Since the page cache is modified, subsequent executions of `su` run the attacker's code instead of the original binary.

## Features
- **Zero Dependencies**: Pure Go implementation using `RawSyscall` for all kernel interactions.
- **Page-Cache Patching**: Direct manipulation of the kernel's file cache via `AF_ALG`/`splice` interaction.
- **Minimal Footprint**: Optimized binary size with no standard library overhead (no `fmt` or `os` packages).

## Installation & Usage

### Build
Compile the exploit for the current architecture:
```bash
go build -ldflags="-s -w" -o CopyFail CVE-2026-31431.go
```

### Execution
Run the compiled binary:
```bash
./CopyFail
```

Upon successful execution, the `su` binary will be patched in memory and executed, granting a root shell.

## Proof of Concept (Kali Linux)
The following demonstration shows the exploit being compiled and executed on a standard Kali Linux installation.

```bash
# 1. Verify current unprivileged user
kali@kali:~$ whoami
kali

# 2. Compile the exploit
kali@kali:~$ go build -ldflags="-s -w" -o CopyFail CVE-2026-31431.go

# 3. Execute the CopyFail exploit
kali@kali:~$ ./CopyFail
[+] Triggering AF_ALG memory corruption...
[+] Patching /usr/bin/su in page-cache...
[+] Executing patched binary...

# 4. Success: Elevated to root shell
root@kali:/home/kali# id
uid=0(root) gid=0(root) groups=0(root)

root@kali:/home/kali# whoami
root
```

## Remediation
To mitigate this vulnerability, the following steps are recommended:
1.  **Kernel Update**: Upgrade to a Linux kernel version that includes the fix for CVE-2026-31431.
2.  **Disable AF_ALG**: If the Socket-based Crypto API is not required, disable the `af_alg` and related modules:
    ```bash
    modprobe -r af_alg
    ```
3.  **Monitor Splice**: Utilize security auditing tools (like `auditd`) to monitor for suspicious `splice` calls targeting sensitive system binaries.

## Security Considerations
โš ๏ธ **Warning**: This tool is for **authorized security research and educational purposes only**. Patching the page cache is a volatile operation and may cause system instability. The author assumes no liability for misuse.

## Credits
CVE-2026-31431 ("Copy Fail") was discovered and disclosed by the research team at **[Theori](https://xint.io/blog/copy-fail-linux-distributions)**.

## License
This project is licensed under the MIT [LICENSE](LICENSE).