Share
## https://sploitus.com/exploit?id=A6433D74-0151-5A2F-AB0A-B19E54CB5F57
# Copy Fail - CVE-2026-31431

This repository provides a Go port of the public Copy Fail PoC and a reproducible build pipeline for multi architecture Linux binaries.

Copy Fail (CVE-2026-31431) is a Linux kernel logic flaw in `authencesn` that enables a deterministic 4 byte write into page cache data referenced through `AF_ALG` + `splice()`.

## Responsible Use

Use this project only in environments where you are explicitly authorized to test. Do not run this PoC against systems you do not own or have written permission to assess.

## Contents

- Overview
- Why It Matters
- Root Cause
- Trigger Path in authencesn
- How the Bug Became Reachable
- High Level Exploit Flow
- Fix Summary
- Remediation
- Disclosure Timeline
- How It Was Found
- Repository Layout
- Build Prerequisites
- Local Build
- Usage
- GitHub Actions
- Tested Distributions
- References

## Overview

According to the public disclosure, the vulnerable path allows an unprivileged local user to influence a 4 byte write primitive into page cache content of readable files under specific conditions.

The important operational property is that the in memory page cache copy can diverge from on disk bytes during runtime, which can make impact analysis not trivial for teams relying only on disk level integrity checks.

## Why It Matters

Copy Fail is notable because it was reported as:

- Deterministic (no race requirement in the described trigger path).
- Portable across major Linux distributions in testing.
- Compact in implementation, with no external payload builder dependency.
- Relevant beyond single process scope due to shared page cache behavior.

## Root Cause

At a high level, the issue sits at the intersection of three mechanics:

1. `AF_ALG` AEAD request handling.
2. `splice()` page cache backed data movement.
3. `authencesn` decryption scratch behavior.

In the vulnerable design, page cache backed segments can be linked into a request shape that later receives writes during algorithm processing, violating a key assumption that only intended destination regions are modified.

## Trigger Path in authencesn

In the documented path, `authencesn` uses destination side scratch operations around ESN layout handling and performs a write at an offset beyond the expected decrypt output contract.

When combined with the in place AEAD setup and chained scatterlist references, this write can land in page cache backed memory for attacker selected regions.

## How the Bug Became Reachable

The disclosure describes a multi commit evolution:

- `authencesn` behavior originated in earlier integration history.
- `AF_ALG` AEAD support introduced userspace reachability with `splice()` interaction.
- Later in place optimization in `algif_aead` combined source and destination flow in a way that made this intersection exploitable.

The key lesson is compositional risk: individually reasonable changes can become unsafe in combination.

## High Level Exploit Flow

The public write up and PoC describe this sequence:

1. Open and configure an `AF_ALG` AEAD socket for `authencesn(hmac(sha256),cbc(aes))`.
2. Supply crafted metadata and chunked data.
3. Use `splice()` to route page cache backed file data through the request path.
4. Trigger decrypt handling and repeat in controlled 4 byte steps.

This repository's Go implementation mirrors that public PoC logic for research and validation in authorized environments.

## Fix Summary

The reported fix reverts vulnerable in place AEAD operation in `algif_aead` to out of place behavior.

Conceptually:

- Before fix: source and destination could collapse into one writable chain for this path.
- After fix: source and destination remain separate, preventing page cache backed source segments from being used as writable destination regions in this flow.

## Remediation

- Patch kernels to versions containing the upstream fix.
- Roll out vendor kernel package updates across fleet and images.
- Consider temporary hardening controls (for example, policy restrictions on `AF_ALG` usage where operationally feasible).
- Validate remediation with runtime checks, not only disk checksum workflows.

## Disclosure Timeline

Based on the public write up:

| Date       | Event                                          |
|------------|------------------------------------------------|
| 2026-03-23 | Report submitted to Linux kernel security team |
| 2026-03-24 | Initial acknowledgment                         |
| 2026-03-25 | Patch discussion/review                        |
| 2026-04-01 | Fix committed to mainline                      |
| 2026-04-22 | CVE-2026-31431 assigned                        |
| 2026-04-29 | Public disclosure                              |

## How It Was Found

The published research credits human guided, AI assisted subsystem analysis focused on userspace reachable crypto code paths and scatterlist/page provenance under `splice()`.

## Repository Layout

- `main.go`: Go PoC port.
- `Makefile`: deterministic multi arch Linux build targets.
- `.github/workflows/build.yml`: CI build and release artifact workflow.

## Build Prerequisites

- Go 1.23+
- GNU Make

## Local Build

Build all Linux targets:

```bash
make clean build-linux
```

Build and generate checksums:

```bash
make clean checksums
```

Output binaries in `dist/`:

- `copy-fail-cve-2026-31431_linux_amd64`
- `copy-fail-cve-2026-31431_linux_arm64`
- `copy-fail-cve-2026-31431_linux_386`
- `copy-fail-cve-2026-31431_linux_armv7`
- `SHA256SUMS`

## Usage

Default run:

```bash
./copy-fail-cve-2026-31431_linux_amd64
```

Use a custom target path:

```bash
./copy-fail-cve-2026-31431_linux_amd64 -target /path/to/binary
```

Disable post run `su` execution:

```bash
./copy-fail-cve-2026-31431_linux_amd64 -spawn-su=false
```

Print build metadata:

```bash
./copy-fail-cve-2026-31431_linux_amd64 -version
```

## GitHub Actions

Workflow file: `.github/workflows/build.yml`

Triggers:

- Pull requests
- Push to `main`
- Tag push matching `v*`
- Manual `workflow_dispatch`

Behavior:

1. Builds all Linux binaries with checksums via `make clean checksums`.
2. Uploads CI artifacts named with ref + commit SHA.
3. Publishes release assets automatically for tags matching `v*`.

Suggested release flow:

```bash
git tag v1.0.0
git push origin v1.0.0
```

## Tested Distributions

| Distribution      | Kernel Version           |
|-------------------|--------------------------|
| Ubuntu 24.04 LTS  | 6.17.0-1007-aws          |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023    |
| RHEL 10.1         | 6.12.0-124.45.1.el10_1   |
| SUSE 16           | 6.12.0-160000.9-default  |

## References

- Original public article: https://xint.io/blog/copy-fail-linux-distributions
- CVE entry: CVE-2026-31431