Share
## https://sploitus.com/exploit?id=9CD08C86-0362-5F12-99A2-6A9AA71E2B46
# CVE-2026-31431 "Copy Fail" โ Vulnerability Detection Script
Shell-based scanner for **CVE-2026-31431 "Copy Fail"**, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (`algif_aead` / AF_ALG interface). An unprivileged local user can write 4 bytes into the in-memory page cache of a setuid binary (e.g. `/usr/bin/su`) and obtain a root shell โ without touching the on-disk file.
- **CVSS:** 7.8 (HIGH)
- **Present in kernel since:** 2017 (4.14)
- **Upstream fix commit:** [`a664bf3d603d`](https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5)
- **CISA KEV:** added 1 May 2026
- **More info:** [copy.fail](https://copy.fail)
---
## Supported distributions
| Distribution | Release | Patched version |
|---|---|---|
| Debian | 11 Bullseye | `5.10.251-3` |
| Debian | 12 Bookworm | `6.1.170-1` |
| Debian | 13 Trixie | `6.12.85-1` |
| Debian | Sid / Forky | `6.19.14-1` |
| Ubuntu | 20.04 LTS Focal (GA) | `5.4.0-220.240` |
| Ubuntu | 20.04 LTS Focal (HWE) | `5.15.0-135.145~20.04.1` |
| Ubuntu | 22.04 LTS Jammy (GA) | `5.15.0-135.145` |
| Ubuntu | 22.04 LTS Jammy (HWE) | `6.8.0-61.63~22.04.1` |
| Ubuntu | 24.04 LTS Noble | `6.8.0-61.63` |
| Ubuntu | 24.10 Oracular | `6.11.0-27.27` |
| Ubuntu | 25.04 Plucky | `6.14.0-15.15` |
| Ubuntu | 25.10 Questing | mainline fix (โฅ 6.15) |
| Generic | any | mainline range check (4.14 โ 6.14 vulnerable) |
Ubuntu derivatives based on the above releases (Pop!_OS, Linux Mint, Elementary OS, etc.) are also detected via `ID_LIKE` in `/etc/os-release`.
---
## What it checks
| # | Check | Method |
|---|---|---|
| 1 | Kernel version | `uname -r` / `uname -v` / `dpkg` / `/proc/version_signature` |
| 2 | Patch presence | Debian build version, Ubuntu pkg version, commit prefix in `/proc/version` |
| 3 | `algif_aead` module | `/proc/modules`, `modprobe.d` blacklist, `.ko` on disk |
| 4 | AF_ALG socket | Live `socket(AF_ALG, โฆ)` attempt via Python 3 |
| 5 | Setuid binaries | Common setuid-root binaries as write targets |
| 6 | Mitigations | AppArmor, SELinux, seccomp status |
| 7 | Kernel config | `CONFIG_CRYPTO_AUTHENC`, `CONFIG_CRYPTO_USER_API_AEAD` |
| 8 | User namespaces | `unprivileged_userns_clone`, `max_user_namespaces` |
| 9 | Transparent hugepages | THP setting and effect on exploitation |
| 10 | Environment | Docker / Kubernetes / WSL detection, root warning |
---
## Usage
```bash
# Basic scan
bash cve-2026-31431-detect.sh
# No colour output (log files, CI)
bash cve-2026-31431-detect.sh --no-colour
# JSON output (machine-readable, for pipelines)
bash cve-2026-31431-detect.sh --json
# Quiet mode โ only print the summary
bash cve-2026-31431-detect.sh --quiet
# Combine flags
bash cve-2026-31431-detect.sh --json --quiet
```
No root required. No packages to install beyond a standard shell (`bash` โฅ 4.3) and optionally `python3` for the live AF_ALG socket test.
---
## Exit codes
| Code | Meaning |
|---|---|
| `0` | No vulnerable conditions found |
| `1` | One or more vulnerable conditions found |
| `2` | Script error / could not complete checks |
Designed for use in DevSecOps pipelines โ pipe the JSON output to your SIEM, ticketing system, or compliance dashboard.
---
## Output
The script prints results in two languages:
- **English** โ full detailed summary with status, risk breakdown, and step-by-step remediation
- **Hungarian (Magyar)** โ identical content in Hungarian
Both sections are printed to stdout after the per-check results.
### Example (clean system)
```
=== Kernel Version ===
[INFO] Distro flavour : ubuntu (id=ubuntu, codename=jammy, version=22.04)
[INFO] Kernel release : 5.15.0-135-generic
[OK] Kernel version
Reason : Ubuntu jammy: kernel 5.15.0-135.145 >= patched version 5.15.0-135.145
...
โ
PROTECTED โ SYSTEM IS NOT VULNERABLE
```
### Example (vulnerable system)
```
โ VULNERABLE โ IMMEDIATE ACTION REQUIRED
โ Kernel version
โ Patch presence
โ algif_aead module
โ AF_ALG socket
โ Setuid binaries
```
---
## Remediation
### Debian
```bash
sudo apt update && sudo apt full-upgrade && sudo reboot
# After reboot: uname -v โ must show >= 6.1.170-1 (Bookworm)
```
### Ubuntu
```bash
sudo apt update && sudo apt full-upgrade && sudo reboot
# After reboot: cat /proc/version_signature
```
### Temporary mitigation (if kernel update is not immediately possible)
Only effective when `CONFIG_CRYPTO_USER_API_AEAD=m` (built as module). **Has no effect** if the option is compiled in (`=y`).
```bash
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rmmod algif_aead 2>/dev/null || true
```
This does **not** affect SSH, dm-crypt/LUKS, OpenSSL, GnuTLS, NSS, web servers, or disk encryption.
---
## Important notes
- This script does **not** execute any exploit code โ configuration and version checks only.
- Copy Fail is **local privilege escalation only** โ remote exploitation via the internet is not possible.
- The vulnerability modifies the **in-memory page cache**; on-disk files are never touched, so file-integrity tools (AIDE, Tripwire, etc.) will **not** detect an active attack.
- A reboot clears the page cache but the vulnerability remains โ **patching is the only permanent fix**.
- Running the script as root may produce false negatives on the AF_ALG socket check (root can always open AF_ALG sockets).
---
## References
- Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2026-31431
- Ubuntu Security: https://ubuntu.com/security/CVE-2026-31431
- Ubuntu USN-7523-1: https://ubuntu.com/security/notices/USN-7523-1
- Upstream fix: https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
- Exploit details: https://copy.fail
- Original detection script: https://github.com/liamromanis101/CVE-2026-31431-Copy-Fail---Vulnerability-Detection-Script
---
## License
MIT