Share
## https://sploitus.com/exploit?id=A06A4A4A-B08D-5275-9E1A-4F9E92A2D5A9
# CVE-2026-31431 "Copy Fail" โ€” XCP-ng Laboratory Detector

A safe, non-destructive detector script for CVE-2026-31431 ("Copy Fail"), validated against **XCP-ng 8.3 LTS** prior to the May 5, 2026 security update.

> โš ๏ธ **Authorized use only.** Run this script exclusively on systems you own or are explicitly authorized to test.

---

## Background

CVE-2026-31431, dubbed "Copy Fail", is a local privilege escalation (LPE) vulnerability in the Linux kernel's `algif_aead` cryptographic interface. A logic flaw in the `authencesn` template โ€” introduced in 2017 โ€” allows an unprivileged local user to perform a controlled 4-byte write into the kernel's page cache of any readable file, enabling privilege escalation to root.

- **CVSS 3.1:** 7.8 (High)
- **Affected kernels:** 4.14 through 6.18.21, 6.19.x before 6.19.12
- **Introduced:** Linux kernel 4.14 (2017)
- **Disclosed:** April 29, 2026 by Taeyang Lee / Theori (Xint Code)
- **Upstream fix:** commit `a664bf3d603d` by Herbert Xu

### Why It Matters for XCP-ng

XCP-ng's Dom0 control domain runs on a Linux kernel and is the hypervisor management layer. Any unprivileged user with shell access to Dom0 โ€” including service accounts created for CI/CD pipelines, monitoring agents, backup tools, or automation โ€” can exploit this vulnerability to gain root. From root in Dom0, all guest VMs on that host are compromised.

A default XCP-ng installation has minimal exposure as very few processes run as non-root users. The real risk accumulates over time as operators add service accounts for legitimate purposes without restricting shell access.

Audit your Dom0 service accounts:
```bash
awk -F: '$7 ~ /bash|sh/' /etc/passwd
```

---

## What This Script Does

This is a **laboratory detector**, not a privilege escalation tool. It:

- Creates a temporary sentinel file owned by the running user in a temp directory
- Attempts to trigger the `algif_aead` / `authencesn` page-cache scratch-write primitive against that file
- Reports whether page cache corruption was detected (confirming vulnerability)
- Cleans up all temporary files on exit

**System binaries, `/etc/passwd`, and other system files are never touched.** Page cache corruption is in-memory only โ€” nothing is written back to disk.

---

## Requirements

- Python 3.10+ (required for `os.splice`)
- Standard library only โ€” no pip installs needed
- Non-root user shell on a Dom0 running a vulnerable kernel

---

## Usage

```bash
python3 xcp_ng_cve_2026_31431_tester.py
```

### Exit Codes

| Code | Meaning |
|------|---------|
| `0` | No corruption observed โ€” system is likely patched or `algif_aead` is disabled |
| `1` | Trigger error โ€” `algif_aead` may be unavailable or blocked |
| `2` | **Vulnerable** โ€” page cache corruption confirmed |

> **Note:** Exit code `1` on a patched system is expected behavior, not a script error. If `authencesn` has been disabled at the kernel level (as in the XCP-ng May 5 fix), the socket bind will fail and the script will exit with code `1`.

---

## XCP-ng Patch Status

| Date | Event |
|------|-------|
| April 29, 2026 | CVE-2026-31431 publicly disclosed |
| May 4, 2026 | VATES publishes VSA-2026-013 |
| May 5, 2026 | XCP-ng 8.3 LTS May security update released โ€” kernel fix available |

### Applying the Fix

Update your XCP-ng hosts and reboot:

```bash
yum update
reboot
```

After reboot, verify the updated kernel is running:

```bash
uname -r
```

Re-run this detector script after patching. A patched system will return exit code `1` (trigger error) as the vulnerable `authencesn` template is no longer available.

> **Note:** The XCP-ng fix disables IPSec ESN support as a consequence of removing the vulnerable `authencesn` component. For most environments this has no practical impact. VATES has indicated a future patch may restore this functionality with a proper fix.

---

## Checking Kernel Configuration

Before applying mitigations, confirm whether `algif_aead` is compiled as a module (`=m`) or built into the kernel (`=y`):

```bash
grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)
```

- `=m` โ€” Module-based; modprobe blacklist will work
- `=y` โ€” Built into kernel; modprobe blacklist will **silently fail** and provide no protection

For RHEL-family kernels with `=y`, use the grubby boot parameter instead:

```bash
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot
```

---

## References

- [VSA-2026-013 โ€” VATES Security Advisory](https://docs.vates.tech/security/advisories/2026/vates-sa-2026-013)
- [XCP-ng May 2026 Security Update](https://xcp-ng.org/blog/2026/05/05/april-2026-security-and-maintenance-updates-for-xcp-ng-8-3-lts-2/)
- [Copy Fail โ€” Xint/Theori Technical Write-up](https://xint.io/blog/copy-fail-linux-distributions)
- [copy.fail โ€” Official Disclosure Page](https://copy.fail)
- [CVE-2026-31431 โ€” NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [Upstream Kernel Fix โ€” commit a664bf3d603d](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)
- [Original detector by rootsecdev](https://github.com/rootsecdev/cve_2026_31431/blob/main/test_cve_2026_31431.py)

---

## Credits

- **Vulnerability discovery:** Taeyang Lee / Theori (Xint Code)
- **Upstream kernel fix:** Herbert Xu
- **Original detector script:** [rootsecdev](https://github.com/rootsecdev/cve_2026_31431)
- **XCP-ng adaptation and validation:** Rod (this repo)

---

## License

This script is a modified derivative of rootsecdev's original work. Please verify the license of the upstream repository before redistribution and ensure your use complies with its terms.

---

> This script was validated on XCP-ng 8.3 LTS running an unpatched kernel as of May 5, 2026. Apply the official VATES security update immediately if you have not done so.