## https://sploitus.com/exploit?id=A6FB2225-B9E1-587B-9B60-6EECB3B23632
# CVE-2026-31431 CopyFail
**CVE-2026-31431 POC**. A pure Rust implementation with no runtime dependencies.
**Applicable targets**: Linux x86_64 kernels where `CONFIG_CRYPTO_USER_API_AEAD=y` is enabled, and the `algif_aead` module is loadable.
**Usage**:
```bash
./CVE-2026-31431-copyfail-rs
```

### Principle
1. Open `/usr/bin/su` in read-only mode to obtain the file descriptor.
2. Unzip the embedded zlib payload.
3. Split the payload into 4-byte blocks and perform the following operations:
- Create an AF_ALG AEAD socket bound to `authencesn(hmac(sha256), cbc(aes))`.
- Set keys and AEAD parameters using `setsockopt` and cmsg auxiliary data.
- Call `sendmsg` with the `MSG_MORE` flag to send data blocks to the socket.
- Use `splice()` to copy the contents of `/usr/bin/su` through a pipe to the AF_ALG socket—triggering the CopyFail race condition in the kernel page copying path.
4. The race condition disrupts the kernel’s ability check mechanism, elevating the permissions of the current process.
5. Use `execvp` to call `su` to obtain a root shell.
> Note: This vulnerability disrupts the kernel’s ability check mechanism rather than modifying the uid field directly. Therefore, only setuid binaries (such as `su`) can grant true root privileges; ordinary commands cannot display root identity.
### Dependencies
- **Compilation**: `libc` + `flate2` (pure Rust zlib backend; no C compiler required).
- **Runtime**: None—linked via musl.
### Container Escape
Since containers and hosts share the same Linux kernel, CopyFail can be triggered within a container. Successful exploitation yields root credentials from the host kernel’s perspective, allowing bypass of namespace isolation using container escape techniques.
### File Structure
```
CVE-2026-31431-copyfail-rs/
├── Cargo.toml
├── build.sh
├── .cargo/
│ └── config.toml
├── src/main.rs
└── README.md
```
### Disclaimer
This tool is intended for security research and authorized testing purposes only. Obtain explicit written permission from the target system before use. Users must comply with local laws and regulations. The author assumes no responsibility for unauthorized, illegal, or unethical use. If vulnerabilities are discovered, follow responsible disclosure procedures and report them to vendors or relevant security organizations promptly.