## https://sploitus.com/exploit?id=90672A09-E1DF-5E56-87CD-C9FF912D14B7
# copy-fail
**CVE-2026-31431 (Copy Fail)** β a C language PoC, logic-aligned [theori-io/copy-fail-CVE-2026-31431](https://github.com/theori-io/copy-fail-CVE-2026-31431). This is an original Python exploit. **Only intended for authorized security research and experimental environments. Use it only on authorized systems.**
## **Principle Overview**
In Linuxβs `AF_ALG`, the `authencesn(hmac(sha256), cbc(aes))` function, under `splice` + AEAD pathways, can write 4 bytes from the AAD into the target fileβs page cache (disk content remains unchanged). The behavior of this exploit in this repository is consistent with the original:
1. Write 4 bytes of `/usr/bin/su` into the page cache, which is then decompressed as a tiny ELF by zlib.
2. Execute `su`; the tampered page cache loads a fake `su`, typically allowing access to the root shell without a password.
## **Directory Structure**
```
copy-fail/
β βββ include/
β βββ copy_fail.h
β βββ su_payload_zlib.h
β
β βββ src/
β βββ alg.c # AF_ALG / splice primitives
β βββ util.c # Pre-checking
β βββ test_main.c # Vulnerability detection
β βββ exploit_main.c # Privilege escalation
β
β βββ Makefile
β βββ README.md
β
```
## **Dependencies**
**Ubuntu / Debian:**
```bash
sudo apt install build-essential zlib1g-dev
```
## **Compilation**
```bash
cd copy-fail
make
```
**Output Files:**
| Output File | Description |
|------------|-------------|
| `bin/copy-fail-test` | Vulnerability detection (temporary sentinel file, does not modify system files) |
| `bin/copy-fail-exploit` | Privilege escalation (modifies `/usr/bin/su` page cache to execute `exec su`) |
### **Static Compilation (on older versions of glibc)**
After compiling on higher versions of the system, if `GLIBC_2.34` / `GLIBC_2.38 not found` is reported, perform the following on the **compiling machine**:
```bash
make static
```
Copy `bin/copy-fail-test` and `bin/copy-fail-exploit` to the target machine for execution. You can also execute `make` on the **target machine** (dynamic linking, smaller size).
## **Usage**
### **Detection**
```bash
./bin/copy-fail-test
echo $?
```
| Exit Code | Meaning |
|------------|-------------|
| 0 | No vulnerability detected / Conditions not met |
| 2 | Vulnerability detected |
| 1 | Error occurred during testing |
### **Privilege Escalation**
```bash
./bin/copy-fail-exploit
id
```
No output means the design is correct; success leads to access to the root shell. If failed, `echo $?` will usually return `1`.
## **Prerequisites**
- The kernel must support creating `AF_ALG` sockets.
- The `authencesn(hmac(sha256), cbc(aes))` algorithm must be able to be bound.
- Access to `/usr/bin/su` is required.
- `splice` must be able to write to the AF_ALG socket.
If the detector reports βcannot be instantiated (No such file or directory)β, perform the following commands:
```bash
grep -r algif_aead /etc/modprobe.d/
sudo modprobe algif_aead
grep authencesn /proc/crypto
```
Some distributions disable `algif_aead` through modprobe (e.g., Ubuntu USN mitigation). You need to disable it on a root-controlled experiment machine before testing again.
## **Cleanup**
After the privilege escalation test (in the root shell), you can clear the corrupted page cache:
```bash
echo 3 > /proc/sys/vm/drop_caches
```
Or restart the virtual machine.
## **References**
- [CVE-2026-31431](https://copy.fail/)
- [theori-io/copy-fail-CVE-2026-31431](https://github.com/theori-io/copy-fail-CVE-2026-31431)