Share
## https://sploitus.com/exploit?id=8AD3055F-1763-59E6-927E-C30C7EAE22D3
# CVE-2026-31431 (Copy Fail) - LPE Exploit PoC

![Python](https://img.shields.io/badge/Python-3.x-blue?style=flat-square)
![Vulnerability](https://img.shields.io/badge/Vulnerability-LPE-red?style=flat-square)
![Status](https://img.shields.io/badge/Status-Zero_Day-critical?style=flat-square)

This repository contains a Proof of Concept (PoC) exploit for **CVE-2026-31431** (dubbed "Copy Fail"), a critical Local Privilege Escalation (LPE) vulnerability in the Linux Kernel. 

**Research Note:** What makes this vulnerability special is that it was originally discovered in roughly an hour by an autonomous AI Agent, highlighting the next generation of automated vulnerability research.

## ๐Ÿง  Understanding the Bug

"Copy Fail" is an in-memory vulnerability that leverages a logic flaw in the Linux kernel's crypto API (`AF_ALG`) combined with the `splice()` system call. 

Instead of writing malicious files to the hard drive, this exploit directly targets the **Page Cache (RAM)** of an SUID binary (like `/usr/bin/su`). By forcing a decryption failure, the kernel inadvertently overwrites 4-bytes of the read-only memory pages mapped to the SUID binary. The script iterates this process to inject a root-spawning shellcode directly into the execution flow.

### The Forensics Nightmare
This exploit leaves **zero footprint on the disk**. The actual binary on the storage remains completely unmodified. Standard File Integrity Monitoring (FIM) tools calculating hashes (`sha256sum`) will show no changes, making it extremely difficult for Blue Teams to detect post-exploitation without memory analysis.

## ๐ŸŽฏ Vulnerable Systems

The exploit has been tested and confirmed to work on the following distributions and kernel versions:

| Distribution | OS Version | Vulnerable Kernel Version |
| :--- | :--- | :--- |
| **Ubuntu** | 24.04 LTS | `6.17.0-1007-aws` |
| **Amazon Linux** | 2023 | `6.18.8-9.213.amzn2023` |
| **RHEL** | 10.1 | `6.12.0-124.45.1.el10_1` |
| **SUSE** | 16 | `6.12.0-160000.9-default` |

*(Note: Most unpatched kernels from v4.14 to early 6.x are potentially vulnerable)*

## ๐Ÿš€ Step-by-Step Execution Guide

Follow these steps to test the exploit in your local isolated environment. **Do not run this as root; you must start as a standard unprivileged user.**

### Step 1: Clone the Repository
Clone the exploit code to your vulnerable target machine.
```bash
git clone https://github.com/Kalyani4114/linux-copy-fail-exploit.git
```
```bash
cd linux-copy-fail-exploit
```
### Step 2: Make the Script Executable
Grant execution permissions to the python script.
```bash
chmod +x copy_fail.py
```
### Step 3: Verify Current Privileges
Check your current user status to confirm you do not have root access.
```bash
id
whoami
```
### Step 4: Execute the Exploit
Run the python script. The script handles the memory poisoning and will automatically drop you into a root shell upon successful execution
```bash
python3 copy_fail.py
```
### Step 5: Verify Root Access
Once the script finishes, you should have a root prompt (#). Verify your new privileges.
```bash
id
whoami
```
### โš ๏ธ Disclaimer
This code is provided for educational, defensive, and research purposes only. Do not execute this script on production systems, cloud environments, or any network where you do not have explicit, written permission. The author is not responsible for any misuse or damage caused by this software.

---
### ๐Ÿ‘จโ€๐Ÿ’ป Author: Kalyani Ambade
[![LinkedIn](https://img.shields.io/badge/LinkedIn-%230077B5.svg?logo=linkedin&logoColor=white&style=for-the-badge)](https://www.linkedin.com/in/kalyani-ambade)