## https://sploitus.com/exploit?id=AD4D2718-3849-56E8-977A-EC52FD0E1AD0
# CVE-2026-31431 โ Live Code Corruption via Page Cache
A novel exploitation technique for CVE-2026-31431 ("Copy Fail") that corrupts **executable code** of running processes through the Linux kernel's page cache, achieving root privilege escalation.
## What's Different
All published exploits for this CVE corrupt **data files** โ modifying `/etc/passwd` to change root's UID, or patching setuid binaries on disk. This exploit does something fundamentally different: it corrupts **live executable code** in memory through the kernel's page cache mechanism.
| | Published exploits | This exploit |
|---|---|---|
| **Target** | Data files (`/etc/passwd`, `/usr/bin/su`) | Executable code (libc `.text` section) |
| **Mechanism** | File content parsed by programs | Code pages directly executed by CPU |
| **Scope** | Single file | ALL processes mapping libc |
| **Disk change** | Yes (file content modified) | No (only page cache in memory) |
| **Detection** | File integrity monitoring | Invisible to filesystem checks |
## How It Works
### The Page Cache Insight
When Linux maps a shared library with `MAP_PRIVATE`, it doesn't immediately copy the file pages. Instead, the process's page table entries point directly to the **page cache** physical pages. The copy only happens on write (copy-on-write). For code pages (`.text`), processes never write to them โ so they remain shared with page cache **forever**.
```
Process A (bash) Process B (su) Page Cache (libc)
โโโโโโโโ โโโโโโโโ โโโโโโโโโโโโ
โ PTE โโโโโโโโโโโโ>โ โ โ exit(): โ
โ โ โ PTE โโโโโโโโโโโโ>โ endbr64 โ
โโโโโโโโ โโโโโโโโ โ push rax โ
MAP_PRIVATE MAP_PRIVATE โ ... โ
(clean page) (clean page) โโโโโโโโโโโโ
โ
Copy Fail writes here!
```
CVE-2026-31431 gives us a controlled 4-byte write to any readable file's page cache. By corrupting libc's code pages, we modify the instructions that **every process** executes.
### The Exploit
1. **Write shellcode** (39 bytes) to the `on_exit()` function location in libc's page cache โ 10 writes of 4 bytes each
2. **Patch `exit()`** to jump to our shellcode โ 1 write of 4 bytes
3. **Trigger**: any program that calls `exit()` (virtually every program) executes our shellcode
The shellcode performs `setuid(0)` โ `setgid(0)` โ `execve("/bin/sh")`, giving a root shell.
## CVE-2026-31431 Overview
- **Bug**: Logic error in `crypto/algif_aead.c` โ the 2017 in-place optimization (`72548b093ee3`) allows `splice()` to feed page cache pages into AEAD decrypt. The `authencesn` algorithm's ESN rearrangement writes 4 scratch bytes back to the source scatterlist, corrupting the spliced file's page cache.
- **Primitive**: Deterministic 4-byte write to any readable file's page cache
- **Requirements**: None โ AF_ALG sockets available to unprivileged users
- **Fix**: Copy to out-of-place buffer before crypto operation (kernel 6.12.85+, 6.15+)
## Usage
```bash
# Compile
gcc -o exploit exploit.c
# Run as unprivileged user
./exploit /lib/x86_64-linux-gnu/libc-2.31.so
# Trigger โ run any program (it calls exit())
su -c id
# uid=0(root) gid=0(root) groups=0(root)
```
## Tested On
- **Kernel**: 6.12.79 (Ubuntu/Debian, before fix in 6.12.85)
- **glibc**: 2.31-0ubuntu9.7
- **Result**: Full root shell, verified by kernel log: `process 'id' launched '/bin/sh'`
## Files
- [`exploit.c`](exploit.c) โ Full exploit with shellcode injection
- [`copyfail_test.c`](copyfail_test.c) โ Primitive verification (tests 4-byte write)
## Timeline
- **2017**: In-place optimization introduced (`72548b093ee3`)
- **2026-04-29**: CVE-2026-31431 disclosed
- **2026-04-30**: Fix released in kernel 6.12.85
- **2026-05-06**: This exploit developed (novel live code corruption technique)
## References
- [NVD โ CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [Fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)
- [Copy Fail analysis (Xint)](https://xint.io/blog/copy-fail-linux-distributions)
## Disclaimer
This tool is provided for authorized security research and educational purposes only. Do not use against systems you do not own or have explicit permission to test.