Share
## https://sploitus.com/exploit?id=9CD08C86-0362-5F12-99A2-6A9AA71E2B46
# CVE-2026-31431 "Copy Fail" โ€” Vulnerability Detection Script

Shell-based scanner for **CVE-2026-31431 "Copy Fail"**, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (`algif_aead` / AF_ALG interface). An unprivileged local user can write 4 bytes into the in-memory page cache of a setuid binary (e.g. `/usr/bin/su`) and obtain a root shell โ€” without touching the on-disk file.

- **CVSS:** 7.8 (HIGH)
- **Present in kernel since:** 2017 (4.14)
- **Upstream fix commit:** [`a664bf3d603d`](https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5)
- **CISA KEV:** added 1 May 2026
- **More info:** [copy.fail](https://copy.fail)

---

## Supported distributions

| Distribution | Release | Patched version |
|---|---|---|
| Debian | 11 Bullseye | `5.10.251-3` |
| Debian | 12 Bookworm | `6.1.170-1` |
| Debian | 13 Trixie | `6.12.85-1` |
| Debian | Sid / Forky | `6.19.14-1` |
| Ubuntu | 20.04 LTS Focal (GA) | `5.4.0-220.240` |
| Ubuntu | 20.04 LTS Focal (HWE) | `5.15.0-135.145~20.04.1` |
| Ubuntu | 22.04 LTS Jammy (GA) | `5.15.0-135.145` |
| Ubuntu | 22.04 LTS Jammy (HWE) | `6.8.0-61.63~22.04.1` |
| Ubuntu | 24.04 LTS Noble | `6.8.0-61.63` |
| Ubuntu | 24.10 Oracular | `6.11.0-27.27` |
| Ubuntu | 25.04 Plucky | `6.14.0-15.15` |
| Ubuntu | 25.10 Questing | mainline fix (โ‰ฅ 6.15) |
| Generic | any | mainline range check (4.14 โ€“ 6.14 vulnerable) |

Ubuntu derivatives based on the above releases (Pop!_OS, Linux Mint, Elementary OS, etc.) are also detected via `ID_LIKE` in `/etc/os-release`.

---

## What it checks

| # | Check | Method |
|---|---|---|
| 1 | Kernel version | `uname -r` / `uname -v` / `dpkg` / `/proc/version_signature` |
| 2 | Patch presence | Debian build version, Ubuntu pkg version, commit prefix in `/proc/version` |
| 3 | `algif_aead` module | `/proc/modules`, `modprobe.d` blacklist, `.ko` on disk |
| 4 | AF_ALG socket | Live `socket(AF_ALG, โ€ฆ)` attempt via Python 3 |
| 5 | Setuid binaries | Common setuid-root binaries as write targets |
| 6 | Mitigations | AppArmor, SELinux, seccomp status |
| 7 | Kernel config | `CONFIG_CRYPTO_AUTHENC`, `CONFIG_CRYPTO_USER_API_AEAD` |
| 8 | User namespaces | `unprivileged_userns_clone`, `max_user_namespaces` |
| 9 | Transparent hugepages | THP setting and effect on exploitation |
| 10 | Environment | Docker / Kubernetes / WSL detection, root warning |

---

## Usage

```bash
# Basic scan
bash cve-2026-31431-detect.sh

# No colour output (log files, CI)
bash cve-2026-31431-detect.sh --no-colour

# JSON output (machine-readable, for pipelines)
bash cve-2026-31431-detect.sh --json

# Quiet mode โ€” only print the summary
bash cve-2026-31431-detect.sh --quiet

# Combine flags
bash cve-2026-31431-detect.sh --json --quiet
```

No root required. No packages to install beyond a standard shell (`bash` โ‰ฅ 4.3) and optionally `python3` for the live AF_ALG socket test.

---

## Exit codes

| Code | Meaning |
|---|---|
| `0` | No vulnerable conditions found |
| `1` | One or more vulnerable conditions found |
| `2` | Script error / could not complete checks |

Designed for use in DevSecOps pipelines โ€” pipe the JSON output to your SIEM, ticketing system, or compliance dashboard.

---

## Output

The script prints results in two languages:

- **English** โ€” full detailed summary with status, risk breakdown, and step-by-step remediation
- **Hungarian (Magyar)** โ€” identical content in Hungarian

Both sections are printed to stdout after the per-check results.

### Example (clean system)

```
=== Kernel Version ===
  [INFO] Distro flavour : ubuntu (id=ubuntu, codename=jammy, version=22.04)
  [INFO] Kernel release : 5.15.0-135-generic
  [OK] Kernel version
       Reason : Ubuntu jammy: kernel 5.15.0-135.145 >= patched version 5.15.0-135.145

...

  โœ… PROTECTED โ€” SYSTEM IS NOT VULNERABLE
```

### Example (vulnerable system)

```
  โŒ VULNERABLE โ€” IMMEDIATE ACTION REQUIRED

  โœ— Kernel version
  โœ— Patch presence
  โœ— algif_aead module
  โœ— AF_ALG socket
  โœ— Setuid binaries
```

---

## Remediation

### Debian

```bash
sudo apt update && sudo apt full-upgrade && sudo reboot
# After reboot: uname -v  โ†’  must show >= 6.1.170-1 (Bookworm)
```

### Ubuntu

```bash
sudo apt update && sudo apt full-upgrade && sudo reboot
# After reboot: cat /proc/version_signature
```

### Temporary mitigation (if kernel update is not immediately possible)

Only effective when `CONFIG_CRYPTO_USER_API_AEAD=m` (built as module). **Has no effect** if the option is compiled in (`=y`).

```bash
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rmmod algif_aead 2>/dev/null || true
```

This does **not** affect SSH, dm-crypt/LUKS, OpenSSL, GnuTLS, NSS, web servers, or disk encryption.

---

## Important notes

- This script does **not** execute any exploit code โ€” configuration and version checks only.
- Copy Fail is **local privilege escalation only** โ€” remote exploitation via the internet is not possible.
- The vulnerability modifies the **in-memory page cache**; on-disk files are never touched, so file-integrity tools (AIDE, Tripwire, etc.) will **not** detect an active attack.
- A reboot clears the page cache but the vulnerability remains โ€” **patching is the only permanent fix**.
- Running the script as root may produce false negatives on the AF_ALG socket check (root can always open AF_ALG sockets).

---

## References

- Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2026-31431
- Ubuntu Security: https://ubuntu.com/security/CVE-2026-31431
- Ubuntu USN-7523-1: https://ubuntu.com/security/notices/USN-7523-1
- Upstream fix: https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
- Exploit details: https://copy.fail
- Original detection script: https://github.com/liamromanis101/CVE-2026-31431-Copy-Fail---Vulnerability-Detection-Script

---

## License

MIT