Share
## https://sploitus.com/exploit?id=A2E3C3CF-852A-5BD0-B1DC-EF824BB1DF69
# Copy-Fail-CVE-2026-31431

A **proof-of-concept exploit reproduction** of the Linux kernel vulnerability **CVE-2026-31431**, also known as *Copy Fail*.

Credits to: [Copy Fail](https://copy.fail/)

## Affected Systems
* Linux kernel versions **4.14 and newer**
* Most major distributions released **from 2017 until patch deployment** (Ubuntu, Debian, Fedora, RHEL...)

## How This Differs from Original Exploit

#### Unminimized and Readable Code

* Original exploit code is compact
* This version is fully expanded

#### Backup and Restore Binaries
* Creates a **backup of the target binary (e.g., `/usr/bin/su`)**
* Verifies integrity via hashing
* Restores original state after execution (in case of success)

## Proof of Concept


  
  
  






```bash
git clone https://github.com/MohamedKarrab/Copy-Fail-CVE-2026-31431.git
cd Copy-Fail-CVE-2026-31431

# targets /usr/bin/su by default
python fail.py

# or any setuid-root (passwd, mount, chsh, sudo, pkexec...)
python fail.py /usr/bin/passwd
```

# Warning
In case of exploitation failure, the target binary may not be restored to its original state. Fix it by:

- Simply **reboot** the device. A reboot clears the page cache (the exploit does not modify the binary on disk).

- Alternatively, restore a clean `/usr/bin/su` (or the selected binary) from a trusted package.
**Debian / Ubuntu:**
```bash
sudo apt-get install --reinstall util-linux
```

**Fedora / RHEL:**
```bash
sudo dnf reinstall util-linux
```

**Arch:**
```bash
sudo pacman -S util-linux
```


## Technical Overview
This exploit abuses an AF_ALG AEAD implementation to write arbitrary 4-byte chunks into the kernel page cache of `/usr/bin/su` (a setuid-root binary).

- Uses unprivileged AF_ALG socket + crafted `sendmsg/splice` pairs to inject data into AES-CBC-HMAC processing    
- Exploits a scatter/gather boundary bug to make decrypted AAD bytes land inside the cached binary
- Corrupts the in-memory `.text` section of `/usr/bin/su` without touching disk

Finally, executing `/usr/bin/su` loads the poisoned page cache, running injected code as root due to setuid.

## Mitigation
- Update to patched kernel versions
- Block AF_ALG socket creation:
```sh
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
```

## Disclaimer
- This code is for **educational and testing purposes only**.
- Use only on systems **you own or have explicit permission** to test.
- I am **not responsible** for misuse or damages.


## References
- [NVD - CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [Copy Fail: 732 Bytes to Root](https://xint.io/blog/copy-fail-linux-distributions)